RE: DNS zone transfer

["Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>]

Thanks very much for reply, that's what I thought but I wanted to hear it
from someone else to confirm my suspicions.

Best Regards

Ohanes Semerjian

PGP kEY 
6604 2A46 E64F BEBF A4B7  9D01 9E08 399C 9D45 3254


-----Original Message-----
From: Scott Nursten [mailto:scottn () s2s ltd uk]
Sent: Tuesday, 17 September 2002 20:12
To: Semerjian, Ohanes; 'james'
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] DNS zone transfer


Hi, 

As per the signature

dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone
transfer"; flags:A+; content: "|00 00 FC|"; offset:13;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255;  rev:6;)

It has to be destined for port 53 and contain the content |00 00 FC| (axfr I
believe), as well as A+ (be an ACK+)  so it would be pretty hard to gen a
false positive but not impossible.


Kind Regards, 

-- 
Scott Nursten
--------------------------
S2S Consultants
T: 01444 232 742
F: 01444 232 061
W: http://s2s.ltd.uk
E: scottn () s2s ltd uk
--------------------------


-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users