Detecting cross reference at DNS decompression by a snort rule

[سعید انواری <anvari85 () gmail com>]

Hello.
I want to write a snort rule to detect DNS exploit as a result of endless
cross referencing in DNS compression message. especially, I mean zlip-2.pcap
packet ( zlip-2.pcap<http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=zlip-2.pcap>
 ).
can somebody help me?
Thanks.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users