[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firestorm-nids: DNS zone transfer TCP

To: firestorm@xxxxxxxxxxxxxxxx
Subject: Re: firestorm-nids: DNS zone transfer TCP
From: rmkml <rmkml@xxxxxxxxxx>
Date: Fri, 21 Mar 2003 17:12:30 +0100
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm
References: <3E7B346B.EC43508A@wanadoo.fr>
Sender: test@xxxxxxxxxx

ok

I found rules on firestorm :
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer";
flow:to_server,established; content: "|00 00 FC|"; offset:13;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255;  rev:6;)

and I found rules on snort :
alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS zone transfer
TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255; rev:7;)

ok change offset with firestorm 13-> 14
but same pb: firestorm not view this AXFR request !

Regard.



rmkml wrote:

> Hi,
>
> I have a pb,
>
> start cmd :
> $ dig @mydnspubip axfr
>
> Yes, I not have zone in request !
>
> and my pb is: Firestorm not view this !
>
> but if add zone in request :
> $ dig @mydnspubip test.uk axfr
>
> ok Firestorm view this ...
>
> Prelude have same pb,
> but snort view two request ...
>
> Could you help me ?
>
> Regard.

Follow-Ups:
- Re: firestorm-nids: DNS zone transfer TCP
  - From: Gianni Tedesco

References:
- firestorm-nids: DNS zone transfer TCP
  - From: rmkml

Prev by Date: Re: firestorm-nids: DNS zone transfer TCP
Next by Date: Re: firestorm-nids: DNS zone transfer TCP
Previous by thread: Re: firestorm-nids: DNS zone transfer TCP
Next by thread: Re: firestorm-nids: DNS zone transfer TCP
Index(es):
- Date
- Thread