Snort mailing list archives
Re: DNS zone transfer
From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 17 Sep 2002 11:12:19 +0100
Hi, As per the signature dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer"; flags:A+; content: "|00 00 FC|"; offset:13; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:6;) It has to be destined for port 53 and contain the content |00 00 FC| (axfr I believe), as well as A+ (be an ACK+) so it would be pretty hard to gen a false positive but not impossible. Kind Regards, -- Scott Nursten -------------------------- S2S Consultants T: 01444 232 742 F: 01444 232 061 W: http://s2s.ltd.uk E: scottn () s2s ltd uk -------------------------- ------------------------------------------------------- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS zone transfer Semerjian, Ohanes (Sep 16)
- Re: DNS zone transfer james (Sep 16)
- <Possible follow-ups>
- RE: DNS zone transfer Semerjian, Ohanes (Sep 16)
- Re: DNS zone transfer Scott Nursten (Sep 17)
- RE: DNS zone transfer Semerjian, Ohanes (Sep 18)