[Snort-sigs] suggested modification of SID 255

Dan.Thorson at ...2264... Dan.Thorson at ...2264...
Tue Feb 24 09:24:13 EST 2004


I concur... but since DNS_SERVERS is already set in snort.conf, then
wouldn't it be safe to use "DNS_SERVERS" in SID:255, rather than HOME_NET?

danT

===================================================
Dan Thorson - Seagate Technology - CCIE 10754
desk +1 (952) 402-8293        fax +1 (952) 402-1007
SeaTel  8-402-8293
===================================================


|---------+---------------------------->
|         |           Brian            |
|         |           <bmc at ...95...>  |
|         |           No Phone Info    |
|         |           Available        |
|         |                            |
|         |           02/24/2004 10:32 |
|         |           AM               |
|         |                            |
|---------+---------------------------->
  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                              |
  |       To:       Dan Thorson <dan.thorson at ...2264...>                                                                        |
  |       cc:       snort-sigs at lists.sourceforge.net                                                                             |
  |       Subject:  Re: [Snort-sigs] suggested modification of SID 255                                                           |
  >------------------------------------------------------------------------------------------------------------------------------|




On Fri, Feb 20, 2004 at 03:55:23PM -0600, Dan Thorson wrote:
> Shouldn't this rule be changed to alert only if the source IP is NOT a
DNS server?  i.e.
>
> alert tcp !$DNS_SERVERS any -> $HOME_NET 53 (msg:"DNS zone transfer TCP";
flow:to_server,established; content: "|00 00 FC|"; offset:15;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255; rev:8;)

Nope.  We don't want to ship rules that fail by default.  By default,
DNS_SERVERS is set to HOME_NET, which is set to any.

Brian









More information about the Snort-sigs mailing list