[Snort-sigs] suggested modification of SID 255

Brian bmc at ...95...
Tue Feb 24 08:42:02 EST 2004


On Fri, Feb 20, 2004 at 03:55:23PM -0600, Dan Thorson wrote:
> Shouldn't this rule be changed to alert only if the source IP is NOT a DNS server?  i.e.
> 
> alert tcp !$DNS_SERVERS any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:15; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:8;)

Nope.  We don't want to ship rules that fail by default.  By default,
DNS_SERVERS is set to HOME_NET, which is set to any.  

Brian




More information about the Snort-sigs mailing list