[Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556)

Al Lewis (allewi) allewi at ...3865...
Mon May 4 10:35:26 EDT 2015

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:2; )

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Mustaque [mailto:mustaque.ahmad at ...4030...]
Sent: Monday, May 04, 2015 1:58 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556)


I cant see the packet information to investigate the integrity of this rule. And what this rule does? Need more info.

Thanks and Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150504/f816a9c0/attachment.html>

More information about the Snort-sigs mailing list