[Snort-users] Bad matching of new zone transfer rule by snort ?

James Hoagland hoagland at ...47...
Thu Oct 5 22:21:21 EDT 2000


At 6:49 PM -0400 10/5/00, Keith Pachulski wrote:
>that rule was redone some time ago, here is the new one which was
>posted on arachnids
>
>alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 DNS Zone
>Transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP;
>offset: 2; depth: 16;)

Actually, the rule here is the old one that was not based on protocol 
analysis.  This pretty much matches any DNS query over TCP.  The one 
I listed was the new one (based on protocol analysis) and is the one 
currently on archNIDS.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-users mailing list