Seeing (Sig)Red

This post documents detection techniques for CVE-2020-1350 (SigRed), describing the DNS packet characteristics used by the exploit and providing multiple Suricata IDS rules to detect and correlate exploitation attempts, insider queries, and victim behavior, along with testing notes and rule tuning to reduce false positives.