Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PROTOCOL-DNS DNS query amplification attempt (1:28556)

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 4 May 2015 14:35:26 +0000

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; 
content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 
FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy security-ips drop, ruleset community, service 
dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:2; )


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Mustaque [mailto:mustaque.ahmad () nuemera com]
Sent: Monday, May 04, 2015 1:58 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556)

Hi,

I cant see the packet information to investigate the integrity of this rule. And what this rule does? Need more info.

Thanks and Regards
Mustaque

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: