[Snort-users] dns version query rules in 08292k

Tom Vandepoel Tom.Vandepoel at ...271...
Tue Sep 19 05:52:50 EDT 2000


I've noticed there are 2 dns version query rules in 08292k:

-> alert udp !$HOME_NET any -> $HOME_NET 53 (msg: "IDS278 - SCAN -namedV
version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase;
offset: 12; depth: 32;)

-> alert udp !$HOME_NET any -> $HOME_NET 53
(msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";)

As I've mailed before, the second should have a "nocase;" included,
which is still not the case in 08292k... but anyway, I don't see the
need to have 2 rules which detect the same thing. The first rule is
actually specified tighter (depth/offset, which might make it
susceptible to stealth manupilations), but on the other hand, the second
rule does not result in any false positives, and has the same effect as
the first, once the nocase is added.

I'd vote for eliminating the first rule. In any case, there's no reason
for both to exist, I think.



Tom Vandepoel
Sr. Network Security Engineer

tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000919/5d4e1e23/attachment.bin>

More information about the Snort-users mailing list