[Snort-sigs] Issue with rule sid 255

Geoff Craig GCraig at ...1467...
Fri Apr 25 06:54:13 EDT 2003

Hey Brian,

Attached are two windump files (I set the snaplen to 1500).  I totally
agree with you in that the offset should work, but we are talking MS DNS
servers here. *wink*

PS The dumps are from a lab so you will see IP's etc.

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Friday, April 25, 2003 8:44 AM
To: Geoff Craig
Cc: snort-sigs at lists.sourceforge.net

On Tue, Apr 22, 2003 at 10:50:08AM -0500, Geoff Craig wrote:
> I am having an issue with the TCP DNS Zone transfer rule included in
> 2.0 distribution.  Unless I remove both the offset and the flow
> keywords, the rule never fires.  The environment I am in has all
> 2000/2003 DNS servers.  The rule used to look like this;  (apologizes
> for the wrap)

Can you send pcap for that?

IFAIK, the zone transfer query type should actually be at least 16 bytes

from the beginning of the packet.

  2 bytes (length)
+ 2 bytes (transaction id)
+ 2 bytes (flags)
+ 2 bytes (questions)
+ 2 bytes (answer RRs)
+ 2 bytes (authority RRs)
+ 2 bytes (additional RRs)
+ 1 byte  (count for the first label) [0]

We look for the label terminating byte (0x00) followed by the AXFR
(0x00fc). Simple math tells us our offset needs to be 15.  

Can you send me pcap for what this does?

[0] since this is a zone transfer, they have to ask for the zone, so
    we know there is going to be at least one label.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns2
Type: application/octet-stream
Size: 1452 bytes
Desc: dns2
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030425/c4ed1ef1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns
Type: application/octet-stream
Size: 1282 bytes
Desc: dns
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030425/c4ed1ef1/attachment-0001.obj>

More information about the Snort-sigs mailing list