[Snort-sigs] Dynamic DNS update attempt (new sig)

Jon Hart jhart at ...288...
Wed Nov 1 14:21:27 EST 2006

Is this more correct?

alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS Dynamic update
attempt"; byte_test:2,&,10240,2; content:!"|00 00|"; offset:4; depth:2;
byte_test:2,^,1,0,relative; content:!"|00 00|"; distance:4; depth:2;
byte_test:2,^,1,0,relative; isdataat:22,relative; sid:11111111; rev:2;)

Same intention as before, except with bmc's suggestions.

pcap attached, test code at http://spoofed.org/files/dnsupdate


-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns-update.pcap
Type: application/cap
Size: 131 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061101/6666d3c2/attachment.bin>

More information about the Snort-sigs mailing list