felmoltor/sigred.rules

## sigred.rules
# Author: Felipe Molina de la Torre (@felmoltor)

# If not already defined, define in your suricata.yaml document the variable $DNS_SERVERS pointing to your Windows DNS servers array
# e.g. DNS_SERVERS = [10.20.30.1,10.20.30.2,10.20.30.3]

# A DNS Answer with TC flag enabled: 10000010=0x82=130
# The byte_test part means: Bitwise AND the flags of the DNS UDP packet at offset 2 with the bynary value 0100 0010 (0x82)
# The |00 00 18 00 01| payload means "termination of the domain name string" (0x00) with a following SIG (0x0018) IN (0x0001) answer within the first 120 bytes of the DNS packet

alert dns $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"Windows DNS SigRed Exploit (TC header)";flow:established,to_client;classtype:denial-of-service;byte_test:2,&,0x82,2;content: "|00 00 18 00 01|";within: 120;xbits:set,tc_requested,track ip_pair;noalert;reference:cve,2020-1350;sid:666661;rev:2;)

# A TCP dns answer (0x80 in the offset 4) with a payload greater than 65280 (0xFF00) and containing the malformed compression bytes "0xc00d" or a greater value in the second byte.
# Why 0XFF00? I saw PoC sending tcp palyoads smaller than I initially thought (0xFFF0). To have an overflow I would need con consider that ASCII characters of the domain name can take values from 0 to 255. The first character of the domain name is going to be used to overflow the buffer, so, assuming the limit case (65535-255 = 65280 = 0xFF00)
# The 00 00 18 00 01 payload means "termination of the domain name string" (0x00) with a following SIG (0x0018) IN (0x0001) answer within the first 120 bytes of the TCP payload

alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"Windows DNS SigRed Exploit (Compressed SIG record)";flow:established,to_client;classtype:denial-of-service;byte_test:2,>,0xFF00,0;byte_test:2,&,0x80,4;content:"|00 00 18 00 01|";within:120;content:"|c0|";within:31;byte_test:1,>,0x0c,0,relative;xbits:isset,tc_requested,track ip_pair;reference:cve,2020-1350;sid:666662;rev:3;)
	# Author: Felipe Molina de la Torre (@felmoltor)

	# If not already defined, define in your suricata.yaml document the variable $DNS_SERVERS pointing to your Windows DNS servers array
	# e.g. DNS_SERVERS = [10.20.30.1,10.20.30.2,10.20.30.3]

	# A DNS Answer with TC flag enabled: 10000010=0x82=130
	# The byte_test part means: Bitwise AND the flags of the DNS UDP packet at offset 2 with the bynary value 0100 0010 (0x82)
	# The \|00 00 18 00 01\| payload means "termination of the domain name string" (0x00) with a following SIG (0x0018) IN (0x0001) answer within the first 120 bytes of the DNS packet

	alert dns $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"Windows DNS SigRed Exploit (TC header)";flow:established,to_client;classtype:denial-of-service;byte_test:2,&,0x82,2;content: "\|00 00 18 00 01\|";within: 120;xbits:set,tc_requested,track ip_pair;noalert;reference:cve,2020-1350;sid:666661;rev:2;)

	# A TCP dns answer (0x80 in the offset 4) with a payload greater than 65280 (0xFF00) and containing the malformed compression bytes "0xc00d" or a greater value in the second byte.
	# Why 0XFF00? I saw PoC sending tcp palyoads smaller than I initially thought (0xFFF0). To have an overflow I would need con consider that ASCII characters of the domain name can take values from 0 to 255. The first character of the domain name is going to be used to overflow the buffer, so, assuming the limit case (65535-255 = 65280 = 0xFF00)
	# The 00 00 18 00 01 payload means "termination of the domain name string" (0x00) with a following SIG (0x0018) IN (0x0001) answer within the first 120 bytes of the TCP payload

	alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"Windows DNS SigRed Exploit (Compressed SIG record)";flow:established,to_client;classtype:denial-of-service;byte_test:2,>,0xFF00,0;byte_test:2,&,0x80,4;content:"\|00 00 18 00 01\|";within:120;content:"\|c0\|";within:31;byte_test:1,>,0x0c,0,relative;xbits:isset,tc_requested,track ip_pair;reference:cve,2020-1350;sid:666662;rev:3;)