Snort mailing list archives
Re: BIND signature triggered.
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 29 Apr 2001 16:29:47 -0400
Can we see the full rule? -Marty "Scott A. McIntyre" wrote:
Hi,
I've got a BIND intrusion signature that I've been using for a while but
over the last two weeks I've been getting what appears to be a false
alerts. The packet that triggers my alert is:
04/29/01-22:04:59.402601 xxx.xx.xx.xxx:1057 -> xxx.xxx.xxx.xxx:53
UDP TTL:126 TOS:0x0 ID:2 IpLen:20 DgmLen:540
Len: 520
50 40 41 48 45 42 43 3A 7F 6C 68 68 6D 60 51 3D P@AHEBC:.lhhm`Q=
3E 23 27 3D 72 67 73 72 12 56 4D 55 59 4F 23 53 >#'=rgsr.VMUYO#S
49 52 43 03 77 4A 50 42 22 66 78 6C 6D 63 67 75 IRC.wJPB"fxlmcgu
71 65 7B 7C 7A 08 5A 58 54 58 49 54 50 52 34 3F qe{|z.ZXTXITPR4?
40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO
50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_
60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno
70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~.
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................
90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................
A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................
B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................
C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................
D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................
E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................
F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ................
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 0123456789:;<=>?
40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F @ABCDEFGHIJKLMNO
50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F PQRSTUVWXYZ[\]^_
60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F `abcdefghijklmno
70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F pqrstuvwxyz{|}~.
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F ................
90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F ................
A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF ................
B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF ................
C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF ................
D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF ................
E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF ................
F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF ................
This seems a pretty peculiar packet in its own right, so I'm wondering
if others have seen it before.
This is triggered due to an observation of the following content in a
number of other (valid) BIND related intrusions:
content:"|06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19
1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31
32 33 34 35|"
Ideas?
Thanks,
Scott
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () md prestige net http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BIND signature triggered. Scott A. McIntyre (Apr 29)
- Re: BIND signature triggered. Martin Roesch (Apr 29)
- Re: BIND signature triggered. Scott A. McIntyre (Apr 30)
- Re: BIND signature triggered. Martin Roesch (Apr 29)