[Snort-users] Bad matching of new zone transfer rule by snort ?

Keith Pachulski Keith.Pachulski at ...222...
Thu Oct 5 18:49:28 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

that rule was redone some time ago, here is the new one which was
posted on arachnids

alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 DNS Zone
Transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP;
offset: 2; depth: 16;)

- -----Original Message-----
From: James Hoagland [mailto:hoagland at ...155...]
Sent: Thursday, October 05, 2000 2:00 PM
To: snort-users at lists.sourceforge.net
Cc: hoagland at ...155...
Subject: [Snort-users] Bad matching of new zone transfer rule by
snort?



Greetings,

Does anyone see my this rule:

alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS 
Zone Transfer
"; content: "|FC|"; flags: AP; offset: 13;)

would match in this case:

[**] IDS212 - MISC - DNS Zone Transfer [**]
10/04-15:40:26.507376 0:A0:C9:B2:5:82 -> 0:A0:24:7B:2E:AE type:0x800
len:0x58
xx.xx.xx.xx:1901 -> xx.xx.xx.yy:53 TCP TTL:128 TOS:0x0 ID:52819  DF
*****PA* Seq: 0x10C0F451   Ack: 0xD8F3A223   Win: 0x2238
00 20 00 01 01 00 00 01 00 00 00 00 00 00 0A 65  . .............e
75 72 65 6B 61 77 65 62 73 03 63 6F 6D 00 00 0F  urekawebs.com...
00 01                                            ..

This is not a zone transfer.  Moreover it does not even match the 
rule.  There is no 0xFC character past byte 13 (or anywhere I see).

This is the new zone transfer rule in the latest Rapidnet 
distribution.  The new rule was based on my suggestion on this list.

Can anyone explain this match?  We are getting quite a few of these 
apparent bad matches.  The rule does catch actual zone transfers 
okay.  It does not match on all contents though and I haven't figured
out the pattern as to which it does.

I had wondered about the "flags" being between the "content" and the 
"offset".  Looking at the source code, it doesn't seem to matter. 
Then again, I'm not really familiar with that part of the code.

Is anyone else having this problem?

Confused,

   Jim
- -- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOd0EpuGTq6qVSXTQEQKVhACg6YCjVyqu+OKGIcShSOlH0vVT2msAoMO4
c+eQY4ssT5HzaLJqGMYiIxGO
=NMJM
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list