[Snort-sigs] suggested modification of SID 255

Dan Thorson dan.thorson at ...2264...
Tue Feb 24 06:54:38 EST 2004

Shouldn't this rule be changed to alert only if the source IP is NOT a DNS server?  i.e.

alert tcp !$DNS_SERVERS any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:15; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:8;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040224/6cf33dc7/attachment.html>

More information about the Snort-sigs mailing list