- ::
1) Script checks on heuristic described here: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
zeek-pkg install zeek/initconf/CVE-2020-16898-Bad-Neighbor or @load CVE-2020-16898-Bad-Neighbor/scripts
Heuristics are simple:
As per : https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
- looking for packets with an ICMPv6 Type field of 134 indicating Router Advertisements
- an ICMPv6 Option field of 25 indicating Recursive DNS Server (RDNSS).
- If this RDNSS option also has a length field value that is even, the heuristic would drop or flag the associated packet, as it is likely part of a Bad Neighbor exploit attempt.
Example notice: ICMP::BadNeighbor ***************************