Rule:  alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version
attempt"; content:"|07|version"; offset:12; content:"|04|bind"; nocase;
offset: 12; reference:arachnids,278; classtype:attempted-recon; sid:257;
rev:1;) 

--
Sid: 257

--
Summary: A remote machine attempted to determine the version of your DNS
server.

--
Impact: Could indicate an impending attack, or maybe an innocent
reconnaissance attempt. 

--
Detailed Information: A remote machine attempted to determine the version
of your BIND DNS server.

--
Attack Scenarios:
As part of reconnaissance leading upto a potential intrusion attempt, an
attacker may attempt to determine the BIND version that you are running in
hopes of finding an unpatched version.

--
Ease of Attack:
Trivial:

[ jhart@testhost (2:37PM) ~  ]
$  dig @10.0.0.2 version.bind chaos txt      

; <<>> DiG 8.1 <<>> @amber version.bind chaos txt 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      version.bind, type = TXT, class = CHAOS

;; ANSWER SECTION:
VERSION.BIND.           0S CHAOS TXT    "8.2.3-REL"

;; Total query time: 1 msec
;; FROM: testhost to SERVER: foobar  10.0.0.2 
;; WHEN: Tue Jan 29 14:42:42 2002
;; MSG SIZE  sent: 30  rcvd: 64



--
False Positives:
None.

--
False Negatives:
None.

--
Corrective Action:
Disable the ability for untrusted (remote) machines to determine your named
version.  

--
Contributors:
Jon Hart <warchild@spoofed.org>

-- 
Additional References: