Re: firestorm-nids: DNS zone transfer TCP

[rmkml <rmkml@xxxxxxxxxx>]

ok,
You view one or two event ?

because, first session (tcp port 34913) is not view by firestorm,

and second session (tcp port 34914) is view by firestorm ...

Yes, my tcpdump file have two tcp sessions dns ...

Regard



Gianni Tedesco wrote:

> On Mon, 2003-03-24 at 12:37, Gianni Tedesco wrote:
> > On Fri, 2003-03-21 at 16:25, rmkml wrote:
> > > ok join tcpdump.
> > > first session not view with firestorm/prelude,
> > > second session view with all firestorm/prelude/snort.
> >
> > OK, I can now confirm that this is a bug. I will look in to it and post
> > a patch as soon as I have one.
>
> Hmm, it seems I jumped the gun. With latest firestorm from cvs, with
> HOME_NET and EXTERNAL_NET set to 'any' the default ruleset triggers on
> this just fine:
>
> 1048263639.030696 alert=sig.tcp sig=255.6 priority=2 src=192.168.1.2
> dst=193.252.19.2 proto=6 spt=34914 dpt=53 flags=***PA*** from=client
> server=ESTABLISHED client=ESTABLISHED : DNS zone transfer
>
> Not sure why this ever would have failed...
>
> --
> // Gianni Tedesco (gianni at scaramanga dot co dot uk)
> lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
> 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part