[Snort-users] trying to figure out a problem rule

Chris Green cmg at ...671...
Wed Jan 10 16:32:04 EST 2001


using the Named Version Probe rules, it seems that depth or offset
work but not both.

nslookup -q=txt -class=CHAOS version.bind. nameserver

will trigger:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS278 - NAMED Version Probe"; content: "version";  nocase; depth: 29;)

will trigger:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS278 - NAMED Version Probe"; content: "version";  nocase; offset: 12;)

won't trigger:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS278 - NAMED Version Probe"; content: "version";  nocase; offset: 12; depth 29; )

 blah.1934 > nameserver.domain: 22121+ TXT CHAOS)? version.bind. (30)
           4500 003a c17e 0000 4011 9424 xxxx xxxx
           xxxx xxxx 078e 0035 0026 59c0 5669 0100
           0001 0000 0000 0000 0776 6572 7369 6f6e
           0462 696e 6400 0010 0003

Can anyone else reproduce this? jh was prodding me yesterday and i
just got around to fiddling.
-- 
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list