[Snort-devel] ACK. Re: [Snort-users] version.bind (part of the problem) (fwd)

Max Vision vision at ...195...
Thu Feb 8 18:52:41 EST 2001


Ok I am stumped.  The depth:18; tag shouldn't even work!  The version.bind
string goes about 25 bytes into the packet...

Something is definately broken.  Additionally, I may be confused about the
nature of depth (I thought depth 18 would only consiuder bytes 0-18), but
even if I'm confused, something is still broken as depth:26; isn't working
for some people.

help?

---------- Forwarded message ----------
Date: Thu, 8 Feb 2001 03:45:18 -0800
From: Aaron <lilnick at ...265...>
To: Max Vision <vision at ...195...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] version.bind (part of the problem)

Here it is:

Query:
(~)$ dig @XXX.XXX.XXX.10 version.bind chaos txt

; <<>> DiG 8.3 <<>> @XXX.XXX.XXX.10 version.bind chaos txt
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      version.bind, type = TXT, class = CHAOS

;; ANSWER SECTION:
VERSION.BIND.           0S CHAOS TXT    "4.9.8-REL"

;; Total query time: 90 msec
;; FROM: cobalt.nepenthes.org to SERVER: XXX.XXX.XXX.10
;; WHEN: Thu Feb  8 03:36:27 2001
;; MSG SIZE  sent: 30  rcvd: 64



[root at ...266... conf]# snort -i eth1 -dv port 53 and host YYY.YYY.YYY.240
and host XXX.XXX.XXX.10

        --== Initializing Snort ==--

Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned
Decoding Ethernet on interface eth1

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch at ...16..., www.snort.org)
02/08-14:38:48.170911 YYY.YYY.YYY.240:55579 -> XXX.XXX.XXX.10:53
UDP TTL:50 TOS:0x0 ID:59253 IpLen:20 DgmLen:58
Len: 38
00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/08-14:38:48.171916 XXX.XXX.XXX.10:53 -> YYY.YYY.YYY.240:55579
UDP TTL:254 TOS:0x0 ID:47428 IpLen:20 DgmLen:92 DF
Len: 72
00 06 85 80 00 01 00 01 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 07 56  sion.bind......V
45 52 53 49 4F 4E 04 42 49 4E 44 00 00 10 00 03  ERSION.BIND.....
00 00 00 00 00 0A 09 34 2E 39 2E 38 2D 52 45 4C  .......4.9.8-REL

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Nothing was logged using the following rule in snort config:

alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
"IDS278/named-probe-version"; content: "|07|version|04|bind"; depth: 26;
offset: 12; nocase;)

However, enabling this rule, allowed logging of this query:

alert udp $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278 - SCAN -named
Version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase;
offset: 12; depth: 18;)

Let me know if you need more info

Thanks,
Aaron


On 02/08/01 at 15:10 Max Vision wrote:
>If the query comes through, but the rule doesn't trigger, then please let
>us know and post the packet trace :)
>





More information about the Snort-devel mailing list