CVE-2020-1350 (AKA SIGRed) v0.30

Summary:

A Zeek package for detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed - CVE Score of 10.0)

References:

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350

Notices raised :

| Notice | Fidelity | | -------- | ---------------------- | |CVE_2020_1350::CVE_2020_1350_Detected_High_Confidence CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response) Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|High| |Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High| |Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|

By default, all notices are enabled, however if you'd like to enable only the High Fidelity notice (due to noise/performance or other reasons) you can change the option in scripts/CVE-2020-1350.zeek to True i.e option only_enable_high_fidelity_notice: bool = T;