[Snort-users] Bad matching of new zone transfer rule by snort?

James Hoagland hoagland at ...47...
Thu Oct 5 14:00:25 EDT 2000


Greetings,

Does anyone see my this rule:

alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS 
Zone Transfer
"; content: "|FC|"; flags: AP; offset: 13;)

would match in this case:

[**] IDS212 - MISC - DNS Zone Transfer [**]
10/04-15:40:26.507376 0:A0:C9:B2:5:82 -> 0:A0:24:7B:2E:AE type:0x800 len:0x58
xx.xx.xx.xx:1901 -> xx.xx.xx.yy:53 TCP TTL:128 TOS:0x0 ID:52819  DF
*****PA* Seq: 0x10C0F451   Ack: 0xD8F3A223   Win: 0x2238
00 20 00 01 01 00 00 01 00 00 00 00 00 00 0A 65  . .............e
75 72 65 6B 61 77 65 62 73 03 63 6F 6D 00 00 0F  urekawebs.com...
00 01                                            ..

This is not a zone transfer.  Moreover it does not even match the 
rule.  There is no 0xFC character past byte 13 (or anywhere I see).

This is the new zone transfer rule in the latest Rapidnet 
distribution.  The new rule was based on my suggestion on this list.

Can anyone explain this match?  We are getting quite a few of these 
apparent bad matches.  The rule does catch actual zone transfers 
okay.  It does not match on all contents though and I haven't figured 
out the pattern as to which it does.

I had wondered about the "flags" being between the "content" and the 
"offset".  Looking at the source code, it doesn't seem to matter. 
Then again, I'm not really familiar with that part of the code.

Is anyone else having this problem?

Confused,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-users mailing list