[Snort-users] Bad matching of new zone transfer rule by snort?

Martin Roesch roesch at ...421...
Fri Oct 6 23:17:29 EDT 2000


Hmm, interesting.  I just tested this rule out and it's firing correctly on my
1.6.3-patch2 setup.  Are you sure that that was the correct packet?  I'm
wondering why it collected that particular packet and none of the others in
the connection with the PA flags set...

    -Marty

James Hoagland wrote:
> 
> At 6:49 PM -0400 10/5/00, Keith Pachulski wrote:
> >that rule was redone some time ago, here is the new one which was
> >posted on arachnids
> >
> >alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 DNS Zone
> >Transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP;
> >offset: 2; depth: 16;)
> 
> Actually, the rule here is the old one that was not based on protocol
> analysis.  This pretty much matches any DNS query over TCP.  The one
> I listed was the new one (based on protocol analysis) and is the one
> currently on archNIDS.
> 
> Regards,
> 
>    Jim
> --
> |*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
> |*               hoagland at ...47...                *|
> |*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list