[Snort-users] Re: fingerprinting BIND 9.1.0 (changed Subject line)

Crist J. Clark cjclark at ...960...
Tue Jan 30 15:39:21 EST 2001


On Tue, Jan 30, 2001 at 06:07:35AM -0800, Max Vision wrote:

[snip]

> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".

[snip]

> The following Snort signature will detect these probes:
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
> "IDS480/named-probe-authors"; content: "|07|authors|04|bind"; depth: 32;
> offset: 12; nocase;)
> http://whitehats.com/info/IDS480

Thanks, Max. I was about to reply on Bugtraq, but fiugred this was a
better forum.

Oy. I do not feel like reading RFC1035 right now. Any DNS-Snort pros want
to pose a rule to catch all CHAOS (class 3, IIRC?) record lookups 
and be done with it? I believe the query class moves around in the 
datagram depending on how long the name queried is. Curious if this is
practical.
-- 
Crist J. Clark                           cjclark at ...485...




More information about the Snort-users mailing list