[Snort-users] DNS zone transfer

Scott Nursten scottn at ...4526...
Tue Sep 17 03:13:07 EDT 2002


As per the signature

dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone
transfer"; flags:A+; content: "|00 00 FC|"; offset:13;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255;  rev:6;)

It has to be destined for port 53 and contain the content |00 00 FC| (axfr I
believe), as well as A+ (be an ACK+)  so it would be pretty hard to gen a
false positive but not impossible.

Kind Regards, 

Scott Nursten
S2S Consultants
T: 01444 232 742
F: 01444 232 061
W: http://s2s.ltd.uk
E: scottn at ...4526...

More information about the Snort-users mailing list