Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1616 |
Message | DNS named version attempt |
Summary | This event is generated when an attempt is made to query version.bind on your DNS server. |
Impact | Reconnaissance. This may indicate which version of BIND the server is running. |
Detailed Information | An attacker can query a DNS server for the version of BIND running. Some versions of BIND, by default, respond to these queries while BIND version 9; by default, does not. A response to this query can assist an attacker in discovering servers that are potentially vulnerable to exploits associated with specific versions of BIND. |
Affected Systems | All versions of BIND. |
Attack Scenarios | An attacker can execute this query to find DNS servers running specific versions of BIND. |
Ease of Attack | Simple. Use the Unix command 'dig @ns.com version.bind txt chaos' |
Corrective Action | Remove the ability to retrieve the version.bind chaos record via configuration options. |
Additional References | Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10028 Arachnids:: http://www.whitehats.com/info/IDS278 |
Rule References | arachnids: 278 nessus: 10028 |
--
DID:759293
--
http://www.aanval.com/