Hosting Provided By

Re: [Snort-sigs] Issue with rule sid 255

From: Brian <bmc(at)snort.org>
Date: Fri Apr 25 2003 - 09:43:53 EDT

On Tue, Apr 22, 2003 at 10:50:08AM -0500, Geoff Craig wrote:
> I am having an issue with the TCP DNS Zone transfer rule included in the

Can you send pcap for that?

IFAIK, the zone transfer query type should actually be at least 16 bytes from the beginning of the packet.

  2 bytes (length)
+ 2 bytes (transaction id)
+ 2 bytes (flags)
+ 2 bytes (questions)
+ 2 bytes (answer RRs)
+ 2 bytes (authority RRs)
+ 2 bytes (additional RRs)
+ 1 byte  (count for the first label) [0]

We look for the label terminating byte (0x00) followed by the AXFR request (0x00fc). Simple math tells us our offset needs to be 15.

Can you send me pcap for what this does?

[0] since this is a zone transfer, they have to ask for the zone, so

we know there is going to be at least one label.

Do you need help?

-brian

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Apr 25 10:15:46 2003

This message: [ Message body ]
Next message: Michael Scheidell: "Re: [Snort-sigs] Mike Sands/ITS/Element K is out of the office."
Previous message: Esler, Joel Contractor: "RE: [Snort-sigs] Mike Sands/ITS/Element K is out of the office."
In reply to Geoff Craig: "[Snort-sigs] Issue with rule sid 255"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT