[Snort-users] Misfiring Rule SID1948

Steve Halligan shalligan at ...8381...
Thu May 22 05:30:12 EDT 2003


The following packet set off this rule.  I am seeing many of these a
day.  

I don't see 00 00 FC.

Sending this to snort-users instead of snort-sigs cause I don't think
that there is anything wrong with the sig.

I have full pre-snort pcaps of this, if someone wants to look at it.

-steve



alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer
UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)

------------------------------------------------------------------------
Count:1 Event#1.46383 2003-05-20 18:16:28
DNS zone transfer UDP
a.b.c.d -> e.f.g.h
IPVer=4 hlen=5 tos=0 dlen=68 ID=0 flags=2 offset=0 ttl=55 chksum=0
Protocol: 17 sport=53193 -> dport=53

len=48 chksum=3836
Payload:
2C 32 00 10 00 01 00 00 00 00 00 01 07 33 33 33 ,2...........333
74 65 63 68 03 63 6F 6D 00 00 01 00 01 00 00 29 tech.com.......)
08 00 00 00 80 00 00 00                         ........





More information about the Snort-users mailing list