Snort mailing list archives
Re: PROTOCOL-DNS DNS query amplification attempt (1:28556)
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 4 May 2015 14:35:26 +0000
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:2; ) Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Mustaque [mailto:mustaque.ahmad () nuemera com] Sent: Monday, May 04, 2015 1:58 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556) Hi, I cant see the packet information to investigate the integrity of this rule. And what this rule does? Need more info. Thanks and Regards Mustaque
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Al Lewis (allewi) (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Geoffrey Serrao (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque Ahmad (May 07)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Jamie Riden (May 07)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Mustaque (May 12)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) rmkml (May 04)
- Re: PROTOCOL-DNS DNS query amplification attempt (1:28556) Al Lewis (allewi) (May 04)