[Snort-users] BIND signature triggered.

Martin Roesch roesch at ...1935...
Sun Apr 29 16:29:47 EDT 2001


Can we see the full rule?

   -Marty

"Scott A. McIntyre" wrote:
> 
> Hi,
> 
> I've got a BIND intrusion signature that I've been using for a while but
> over the last two weeks I've been getting what appears to be a false
> alerts.  The packet that triggers my alert is:
> 
> 04/29/01-22:04:59.402601 xxx.xx.xx.xxx:1057 -> xxx.xxx.xxx.xxx:53
> UDP TTL:126 TOS:0x0 ID:2 IpLen:20 DgmLen:540
> Len: 520
> 50 40 41 48 45 42 43 3A 7F 6C 68 68 6D 60 51 3D  P at ...1934...:.lhhm`Q=
> 3E 23 27 3D 72 67 73 72 12 56 4D 55 59 4F 23 53  >#'=rgsr.VMUYO#S
> 49 52 43 03 77 4A 50 42 22 66 78 6C 6D 63 67 75  IRC.wJPB"fxlmcgu
> 71 65 7B 7C 7A 08 5A 58 54 58 49 54 50 52 34 3F  qe{|z.ZXTXITPR4?
> 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F  @ABCDEFGHIJKLMNO
> 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F  PQRSTUVWXYZ[\]^_
> 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F  `abcdefghijklmno
> 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F  pqrstuvwxyz{|}~.
> 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F  ................
> 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F  ................
> A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF  ................
> B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF  ................
> C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF  ................
> D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF  ................
> E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF  ................
> F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF  ................
> 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ................
> 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
> 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
> 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F  0123456789:;<=>?
> 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F  @ABCDEFGHIJKLMNO
> 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F  PQRSTUVWXYZ[\]^_
> 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F  `abcdefghijklmno
> 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F  pqrstuvwxyz{|}~.
> 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F  ................
> 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F  ................
> A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF  ................
> B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF  ................
> C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF  ................
> D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF  ................
> E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF  ................
> F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF  ................
> 
> This seems a pretty peculiar packet in its own right, so I'm wondering
> if others have seen it before.
> 
> This is triggered due to an observation of the following content in a
> number of other (valid) BIND related intrusions:
> 
> content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19
> 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31
> 32 33 34 35|"
> 
> Ideas?
> 
> Thanks,
> Scott
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list