Snort mailing list archives
Misfiring Rule SID1948
From: Steve Halligan <shalligan () 333tech com>
Date: Wed, 21 May 2003 09:05:00 -0500
The following packet set off this rule. I am seeing many of these a day. I don't see 00 00 FC. Sending this to snort-users instead of snort-sigs cause I don't think that there is anything wrong with the sig. I have full pre-snort pcaps of this, if someone wants to look at it. -steve alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) ------------------------------------------------------------------------ Count:1 Event#1.46383 2003-05-20 18:16:28 DNS zone transfer UDP a.b.c.d -> e.f.g.h IPVer=4 hlen=5 tos=0 dlen=68 ID=0 flags=2 offset=0 ttl=55 chksum=0 Protocol: 17 sport=53193 -> dport=53 len=48 chksum=3836 Payload: 2C 32 00 10 00 01 00 00 00 00 00 01 07 33 33 33 ,2...........333 74 65 63 68 03 63 6F 6D 00 00 01 00 01 00 00 29 tech.com.......) 08 00 00 00 80 00 00 00 ........ ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Misfiring Rule SID1948 Steve Halligan (May 22)