Misfiring Rule SID1948

[Steve Halligan <shalligan () 333tech com>]

The following packet set off this rule.  I am seeing many of these a
day.  

I don't see 00 00 FC.

Sending this to snort-users instead of snort-sigs cause I don't think
that there is anything wrong with the sig.

I have full pre-snort pcaps of this, if someone wants to look at it.

-steve



alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer
UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)

------------------------------------------------------------------------
Count:1 Event#1.46383 2003-05-20 18:16:28
DNS zone transfer UDP
a.b.c.d -> e.f.g.h
IPVer=4 hlen=5 tos=0 dlen=68 ID=0 flags=2 offset=0 ttl=55 chksum=0
Protocol: 17 sport=53193 -> dport=53

len=48 chksum=3836
Payload:
2C 32 00 10 00 01 00 00 00 00 00 01 07 33 33 33 ,2...........333
74 65 63 68 03 63 6F 6D 00 00 01 00 01 00 00 29 tech.com.......)
08 00 00 00 80 00 00 00                         ........



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users