[Snort-sigs] new rule for detect windows NAT DNS DoS

Brian bmc at ...95...
Tue Oct 31 11:05:21 EST 2006


On Tue, Oct 31, 2006 at 11:22:08AM -0500, M. Shirk wrote:
> This is what I had.
> 
> Its the Query, with the other values set to null.
> 
> alert tcp $HOME_NET any -> any 53 (msg:"DNS Goes bad on Windows"; 
> content:"|01 00|"; offset: 2; byte_test:8,=,0,0,relative; rev:1; sid:666; )

commentary: 
- using content where you should be using byte_test
- using byte_test where you should be using content
- even if byte_test was the correct rule option for the data it is
  being used to compare against (which it isn't), byte_test can only read 
  up to 4 bytes of data. [0]

Fixup suggestions:
1) Check the single bit with byte_test
2) Check the 8 bytes of null with content

Brian

0 - string mode is different.  but you are not using string mode, so
    don't worry about it.




More information about the Snort-sigs mailing list