[Snort-users] snort rules in 07272k.rules

Tom Vandepoel Tom.Vandepoel at ...271...
Fri Aug 18 03:53:34 EDT 2000


kj wrote:
> 
> I just have a few questions about snort 07272k.rules.
> 
> On line 142 it reads:
> 
> alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query";
> content:"version|04|bind|0000 1000 03";)
> 
> Isn't it missing another "|" after the "03" in content?
> 

Actually, when I contributed this rule (v.1.5) there was not yet a
nocase option, so it also should have that, to catch combinations like
'dig VERSION.bind chaos txt @server'...

Tom.

-- 
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000818/a0ab2eab/attachment.bin>


More information about the Snort-users mailing list