Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Glibc DNS IDS signature

John Menerick

Here is a slightly optimized signature for GLibc's DNS overflow vulnerability (CVE-2015-7547.)  Please adapt to your liking.

alert udp any 53 -> any any (msg:"LP UDP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 01 00 01|";
distance:10; pcre:"/\x00\x01\x00\x01(.{2000,})/s";reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)


alert tcp any 53 -> any any (msg:"LP TCP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 1c 00 01|";
distance:10; pcre:"/\x00\x1c\x00\x01(.{2000,})/s";
reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)

Walking the Dark Deep Web

Ransomware hitting linux hosting providers