[Snort-users] Bind version probe rule

Chris Green cmg at ...671...
Wed Mar 7 20:59:52 EST 2001


What version of snort? there is a bug in 1.7 w/ depth/offset stuff.

Try the CVS version... :-)

Alexandre Florio <alexandre at ...1499...> writes:

> 	I found that the rule that detects when someone attempts to probe your Bind version wasn't working for me, for instance:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content: "|07|version|04|bind"; nocase; offset: 12; depth: 26; reference:ar
> achnids,278;)
> 
> 	This rule was downloaded about 5 days ago... 
> 
> 	Has anybody got this same problem?
> 	When I use this rule instead, works fine:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BiND VERSiON PROBE"; content:"|76657273696F6E0462696E64|"; nocase;)
> 
> -- 
> Alexandre Florio
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Chris Green <cmg at ...671...>
Life is a series of rude awakenings.
                -- R.V. Winkle




More information about the Snort-users mailing list