[Snort-users] Re: fingerprinting BIND 9.1.0 (changed Subject line)
Crist J. Clark
cjclark at ...960...
Tue Jan 30 15:39:21 EST 2001
On Tue, Jan 30, 2001 at 06:07:35AM -0800, Max Vision wrote:
> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".
> The following Snort signature will detect these probes:
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
> "IDS480/named-probe-authors"; content: "|07|authors|04|bind"; depth: 32;
> offset: 12; nocase;)
Thanks, Max. I was about to reply on Bugtraq, but fiugred this was a
Oy. I do not feel like reading RFC1035 right now. Any DNS-Snort pros want
to pose a rule to catch all CHAOS (class 3, IIRC?) record lookups
and be done with it? I believe the query class moves around in the
datagram depending on how long the name queried is. Curious if this is
Crist J. Clark cjclark at ...485...
More information about the Snort-users