[Snort-users] Re: fingerprinting BIND 9.1.0 (changed Subject line)

Crist J. Clark cjclark at ...960...
Tue Jan 30 15:39:21 EST 2001

On Tue, Jan 30, 2001 at 06:07:35AM -0800, Max Vision wrote:


> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".


> The following Snort signature will detect these probes:
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
> "IDS480/named-probe-authors"; content: "|07|authors|04|bind"; depth: 32;
> offset: 12; nocase;)
> http://whitehats.com/info/IDS480

Thanks, Max. I was about to reply on Bugtraq, but fiugred this was a
better forum.

Oy. I do not feel like reading RFC1035 right now. Any DNS-Snort pros want
to pose a rule to catch all CHAOS (class 3, IIRC?) record lookups 
and be done with it? I believe the query class moves around in the 
datagram depending on how long the name queried is. Curious if this is
Crist J. Clark                           cjclark at ...485...

More information about the Snort-users mailing list