[Snort-sigs] new rule for detect windows NAT DNS DoS

Frank Knobbe frank at ...1978...
Tue Oct 31 15:10:11 EST 2006


On Tue, 2006-10-31 at 13:32 -0600, Frank Knobbe wrote:
> On Tue, 2006-10-31 at 11:22 -0500, M. Shirk wrote:
> > This is what I had.
> > Its the Query, with the other values set to null.
> > 
> > alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows"; 
> > content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )
> 
> Looks identical, except using byte_test instead of a second content.

Or not.... never mind.  /me rubs eyes

-Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061031/c619246f/attachment.sig>


More information about the Snort-sigs mailing list