Snort mailing list archives

Re: DNS zone transfer

From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 17 Sep 2002 11:12:19 +0100

Hi, 

As per the signature

dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone
transfer"; flags:A+; content: "|00 00 FC|"; offset:13;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255;  rev:6;)

It has to be destined for port 53 and contain the content |00 00 FC| (axfr I
believe), as well as A+ (be an ACK+)  so it would be pretty hard to gen a
false positive but not impossible.


Kind Regards, 

-- 
Scott Nursten
--------------------------
S2S Consultants
T: 01444 232 742
F: 01444 232 061
W: http://s2s.ltd.uk
E: scottn () s2s ltd uk
--------------------------



-------------------------------------------------------
Sponsored by: AMD - Your access to the experts on Hammer Technology! 
Open Source & Linux Developers, register now for the AMD Developer 
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS zone transfer Semerjian, Ohanes (Sep 16)
- Re: DNS zone transfer james (Sep 16)
- <Possible follow-ups>
- RE: DNS zone transfer Semerjian, Ohanes (Sep 16)
  - Re: DNS zone transfer Scott Nursten (Sep 17)
- RE: DNS zone transfer Semerjian, Ohanes (Sep 18)