[Snort-sigs] new rule for detect windows NAT DNS DoS

Frank Knobbe frank at ...1978...
Tue Oct 31 14:32:03 EST 2006


On Tue, 2006-10-31 at 11:22 -0500, M. Shirk wrote:
> This is what I had.
> Its the Query, with the other values set to null.
> 
> alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows"; 
> content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )

Looks identical, except using byte_test instead of a second content.
That should be FP'ing a lot too, or not?

-Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061031/fedc87d3/attachment.sig>


More information about the Snort-sigs mailing list