RE: [Snort-sigs] Issue with rule sid 255

Hey Brian,

Attached are two windump files (I set the snaplen to 1500). I totally agree with you in that the offset should work, but we are talking MS DNS servers here. *wink*

PS The dumps are from a lab so you will see IP's etc.

-----Original Message-----
From: Brian [mailto:bmc@snort.org]
Sent: Friday, April 25, 2003 8:44 AM
To: Geoff Craig
Cc: snort-sigs@lists.sourceforge.net

On Tue, Apr 22, 2003 at 10:50:08AM -0500, Geoff Craig wrote:
> I am having an issue with the TCP DNS Zone transfer rule included in
the
> 2.0 distribution. Unless I remove both the offset and the flow
Windows
> 2000/2003 DNS servers. The rule used to look like this; (apologizes
> for the wrap)

Can you send pcap for that?

IFAIK, the zone transfer query type should actually be at least 16 bytes

from the beginning of the packet.

  2 bytes (length)
+ 2 bytes (transaction id)
+ 2 bytes (flags)
+ 2 bytes (questions)
+ 2 bytes (answer RRs)
+ 2 bytes (authority RRs)
+ 2 bytes (additional RRs)
+ 1 byte  (count for the first label) [0]

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

We look for the label terminating byte (0x00) followed by the AXFR request
(0x00fc). Simple math tells us our offset needs to be 15.

Can you send me pcap for what this does?

[0] since this is a zone transfer, they have to ask for the zone, so

    we know there is going to be at least one label.

-brian