[Snort-users] Bind version probe rule
alexandre at ...1499...
Wed Mar 7 16:42:01 EST 2001
I found that the rule that detects when someone attempts to probe your Bind version wasn't working for me, for instance:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content: "|07|version|04|bind"; nocase; offset: 12; depth: 26; reference:ar
This rule was downloaded about 5 days ago...
Has anybody got this same problem?
When I use this rule instead, works fine:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BiND VERSiON PROBE"; content:"|76657273696F6E0462696E64|"; nocase;)
More information about the Snort-users