I found that the rule that detects when someone attempts to probe your Bind version wasn't working for me, for instance:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content: "|07|version|04|bind"; nocase; offset: 12; depth: 26; reference:ar
achnids,278;)

        This rule was downloaded about 5 days ago...

        Has anybody got this same problem?
        When I use this rule instead, works fine:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BiND VERSiON PROBE"; content:"|76657273696F6E0462696E64|"; nocase;)

-- 
Alexandre Florio
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]