PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).
PROTOCOL-DNS BIND DNS server TSIG denial of service attempt
The rule looks for evidence of a crafted DNS TSIG query intended to trigger an assertion failure in some versions of BIND servers.
What To Look For
This rule fires upon an attempted exploitation of CVE-2020-8617, a denial of service vulnerability in some versions of BIND servers.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
Technique: Service Stop
For reference, see the MITRE ATT&CK vulnerability types here:
Denial of Service
Denial of Service attacks aim to make a server or program unresponsive for users. These attacks may be volume-based, to overwhelm the system, or they may use certain logical flaws in the software to cut the service off from the users. The attack may come from one or multiple sources. These attacks do not usually lead to a remote code execution. Volume based attacks are best handled using a firewall application.
CVE Additional Information