[Snort-sigs] Issue with rule sid 255

Geoff Craig GCraig at ...1467...
Tue Apr 22 08:51:33 EDT 2003


Hello all,
 
I am having an issue with the TCP DNS Zone transfer rule included in the
2.0 distribution.  Unless I remove both the offset and the flow
keywords, the rule never fires.  The environment I am in has all Windows
2000/2003 DNS servers.  The rule used to look like this;  (apologizes
for the wrap)
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer
TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255; rev:7;)
 
The working rule looks like this;
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer
TCP"; content: "|00 00 FC|"; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)
 
Thanks,
 
Geoff Craig
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030422/65530e4c/attachment.html>


More information about the Snort-sigs mailing list