[Snort-users] dns version query rules in 08292k

Martin Roesch roesch at ...421...
Tue Sep 19 09:56:54 EDT 2000


Both rules definitely don't need to exist.  I'd have to look at a DNS protocol
header, but I think the first might be the better rule...

    -Marty


Tom Vandepoel wrote:
> 
> Jim,
> 
> I've noticed there are 2 dns version query rules in 08292k:
> 
> -> alert udp !$HOME_NET any -> $HOME_NET 53 (msg: "IDS278 - SCAN -namedV
> version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase;
> offset: 12; depth: 32;)
> 
> -> alert udp !$HOME_NET any -> $HOME_NET 53
> (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";)
> 
> As I've mailed before, the second should have a "nocase;" included,
> which is still not the case in 08292k... but anyway, I don't see the
> need to have 2 rules which detect the same thing. The first rule is
> actually specified tighter (depth/offset, which might make it
> susceptible to stealth manupilations), but on the other hand, the second
> rule does not result in any false positives, and has the same effect as
> the first, once the nocase is added.
> 
> I'd vote for eliminating the first rule. In any case, there's no reason
> for both to exist, I think.
> 
> Tom.
> 
> --
> _________________________________________________
> 
> Tom Vandepoel
> Sr. Network Security Engineer
> 
> www.ubizen.com
> tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
> Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
> _________________________________________________

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list