[Snort-sigs] new rule for detect windows NAT DNS DoS

M. Shirk shirkdog_list at ...12...
Wed Nov 1 11:47:44 EST 2006

Yeah, checking the code I see the string match for byte_test with an 
There also seems to be a 10 byte limitation with string, as in, I should be 
using a content match. So 1,2,4 bytes for all.

Really though, isn't this perfect for the DNS Preprocessor as it checks tcp 
and udp traffic on port 53?

Or at least a shared object rule :-)


>From: Brian <bmc at ...95...>
>To: "M. Shirk" <shirkdog_list at ...12...>
>CC: Snort-sigs at lists.sourceforge.net, rmkml at ...324...,bhartstein at ...274...
>Subject: Re: [Snort-sigs] new rule for detect windows NAT DNS DoS
>Date: Tue, 31 Oct 2006 11:05:21 -0500
>On Tue, Oct 31, 2006 at 11:22:08AM -0500, M. Shirk wrote:
> > This is what I had.
> >
> > Its the Query, with the other values set to null.
> >
> > alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows";
> > content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; 
>sid:666; )
>- using content where you should be using byte_test
>- using byte_test where you should be using content
>- even if byte_test was the correct rule option for the data it is
>   being used to compare against (which it isn't), byte_test can only read
>   up to 4 bytes of data. [0]
>Fixup suggestions:
>1) Check the single bit with byte_test
>2) Check the 8 bytes of null with content
>0 - string mode is different.  but you are not using string mode, so
>     don't worry about it.
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

Add a Yahoo! contact to Windows Live Messenger for a chance to win a free 

More information about the Snort-sigs mailing list