Hosting Provided By

[Snort-sigs] Issue with rule sid 255

From: Geoff Craig <GCraig(at)quilogy.com>
Date: Tue Apr 22 2003 - 11:50:08 EDT

Hello all,

I am having an issue with the TCP DNS Zone transfer rule included in the 2.0 distribution. Unless I remove both the offset and the flow keywords, the rule never fires. The environment I am in has all Windows 2000/2003 DNS servers. The rule used to look like this; (apologizes for the wrap)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)

The working rule looks like this;

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; content: "|00 00 FC|"; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)

Thanks,

Geoff Craig

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 22 12:38:59 2003

This message: [ Message body ]
Next message: Ian Macdonald: "[Snort-sigs] Lots of triggers from NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"
Previous message: Ron Shuck: "[Snort-sigs] Strange ICMP Log"
Next in thread: Brian: "Re: [Snort-sigs] Issue with rule sid 255"
Reply: Brian: "Re: [Snort-sigs] Issue with rule sid 255"
Reply: Geoff Craig: "RE: [Snort-sigs] Issue with rule sid 255"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Do you need help?