[Snort-sigs] suggested modification of SID 255
bmc at ...95...
Tue Feb 24 08:42:02 EST 2004
On Fri, Feb 20, 2004 at 03:55:23PM -0600, Dan Thorson wrote:
> Shouldn't this rule be changed to alert only if the source IP is NOT a DNS server? i.e.
> alert tcp !$DNS_SERVERS any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:15; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:8;)
Nope. We don't want to ship rules that fail by default. By default,
DNS_SERVERS is set to HOME_NET, which is set to any.
More information about the Snort-sigs