[...]
>
>
> The snort filter for zone transfers picks up _any_ connections to TCP
> port 53. Whether or not they actually treid to transfer a zone after
> making that connection determines what is logged.
>
Actually no. The filter from Whitehats is has follows:
alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer";
content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: 2; depth:
16;)
Based on the post from James Hoagland to the snort-users list, a more
precise rule should be something like this:
alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer";
content: "|FC|"; flags: AP; offset: 13;)
Cheers
Fernando
_________________________________________________________
Fernando Cardoso Phone: +351 21 7982186
Network Administrator Fax: +351 21 7982185
National Library E-mail: fernando_at_bn.pt
Portugal PGP ID: 28551CB8
Received on Sep 04 2000
Intro
