[Snort-sigs] new rule for detect windows NAT DNS DoS
bmc at ...95...
Tue Oct 31 11:05:21 EST 2006
On Tue, Oct 31, 2006 at 11:22:08AM -0500, M. Shirk wrote:
> This is what I had.
> Its the Query, with the other values set to null.
> alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows";
> content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )
- using content where you should be using byte_test
- using byte_test where you should be using content
- even if byte_test was the correct rule option for the data it is
being used to compare against (which it isn't), byte_test can only read
up to 4 bytes of data. 
1) Check the single bit with byte_test
2) Check the 8 bytes of null with content
0 - string mode is different. but you are not using string mode, so
don't worry about it.
More information about the Snort-sigs