[Snort-users] dns version query rules in 08292k

Jim Forster jforster at ...176...
Tue Sep 19 10:13:59 EDT 2000


More to add to the list of 'to do's.  :)
I actually removed around 20 'excess' rules yesterday, I'll see if this one
was in that list.
Thanks.

----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Tom Vandepoel" <Tom.Vandepoel at ...271...>
Cc: <jforster at ...176...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, September 19, 2000 7:56 AM
Subject: Re: [Snort-users] dns version query rules in 08292k


> Both rules definitely don't need to exist.  I'd have to look at a DNS
protocol
> header, but I think the first might be the better rule...
>
>     -Marty
>
>
> Tom Vandepoel wrote:
> >
> > Jim,
> >
> > I've noticed there are 2 dns version query rules in 08292k:
> >
> > -> alert udp !$HOME_NET any -> $HOME_NET 53 (msg: "IDS278 - SCAN -namedV
> > version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase;
> > offset: 12; depth: 32;)
> >
> > -> alert udp !$HOME_NET any -> $HOME_NET 53
> > (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";)
> >
> > As I've mailed before, the second should have a "nocase;" included,
> > which is still not the case in 08292k... but anyway, I don't see the
> > need to have 2 rules which detect the same thing. The first rule is
> > actually specified tighter (depth/offset, which might make it
> > susceptible to stealth manupilations), but on the other hand, the second
> > rule does not result in any false positives, and has the same effect as
> > the first, once the nocase is added.
> >
> > I'd vote for eliminating the first rule. In any case, there's no reason
> > for both to exist, I think.
> >
> > Tom.
> >
> > --
> > _________________________________________________
> >
> > Tom Vandepoel
> > Sr. Network Security Engineer
> >
> > www.ubizen.com
> > tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
> > Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
> > _________________________________________________
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org




More information about the Snort-users mailing list