[Snort-sigs] new rule for detect windows NAT DNS DoS

Brian bmc at ...95...
Tue Oct 31 11:05:21 EST 2006

On Tue, Oct 31, 2006 at 11:22:08AM -0500, M. Shirk wrote:
> This is what I had.
> Its the Query, with the other values set to null.
> alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows"; 
> content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )

- using content where you should be using byte_test
- using byte_test where you should be using content
- even if byte_test was the correct rule option for the data it is
  being used to compare against (which it isn't), byte_test can only read 
  up to 4 bytes of data. [0]

Fixup suggestions:
1) Check the single bit with byte_test
2) Check the 8 bytes of null with content


0 - string mode is different.  but you are not using string mode, so
    don't worry about it.

More information about the Snort-sigs mailing list