Detecting “TSIG” Packets
¨Snort Rules:
alert udp
$EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS277 - NAMED Iquery
Probe"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;)
activate udp any
any -> any 53 (msg:"Bind TSIG Overflow Attempt"; content:
"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh”; tag: host, 300,
seconds, src;)