Snort mailing list archives
help with "DNS SPOOF" incidents
From: R P G <inittab () io jtan com>
Date: Wed, 30 May 2001 21:24:29 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I'm wondering if someone here can help me analyze what's going on with this. My snort sensor has detected these "DNS SPOOF" packets over the past couple of weeks. My server is "aaa.bbb.ccc.15" and my server's configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2". The snort rule that has kicked these off is as follows: alert udp $EXTERNAL 53 -> $INTERNAL any (msg:"DNS SPOOF query response with ttl: 1 min. and no authority"; content:"|81800001000100000000|"; content:"|c00c000100010000003c0004|";) What could be happening here? Can someone shed some insight on this? TIA - --Bob - ------------------------------------------------------------------------------ #(1 - 379452) [2001-05-06 01:03:41] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=51775 flags=0 offset=0 TTL=52 chksum=2578 UDP: port=53 -> dport: 1662 len=62 Payload: length = 54 000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D F~...........84- 010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 089.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 59 ...ETY - ------------------------------------------------------------------------------ #(1 - 383336) [2001-05-09 01:08:17] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=46083 flags=0 offset=0 TTL=52 chksum=8270 UDP: port=53 -> dport: 1887 len=62 Payload: length = 54 000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 4D ...ETM - ------------------------------------------------------------------------------ #(1 - 383335) [2001-05-09 01:08:16] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=4566 flags=0 offset=0 TTL=53 chksum=49530 UDP: port=53 -> dport: 1887 len=62 Payload: length = 54 000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 4D ...ETM - ------------------------------------------------------------------------------ #(1 - 384900) [2001-05-14 01:04:39] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=18846 flags=0 offset=0 TTL=59 chksum=33714 UDP: port=53 -> dport: 1441 len=62 Payload: length = 54 000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 58 ...ETX - ------------------------------------------------------------------------------ #(1 - 384899) [2001-05-14 01:04:38] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=60364 flags=0 offset=0 TTL=59 chksum=57732 UDP: port=53 -> dport: 1441 len=62 Payload: length = 54 000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 58 ...ETX - ------------------------------------------------------------------------------ #(1 - 1533334) [2001-05-29 15:33:50] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=4084 flags=0 offset=0 TTL=59 chksum=48477 UDP: port=53 -> dport: 1675 len=62 Payload: length = 54 000 : DA 4F 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .O...........84- 010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 58 ...ETX - ------------------------------------------------------------------------------ #(1 - 1533544) [2001-05-30 00:09:38] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=55890 flags=0 offset=0 TTL=59 chksum=62205 UDP: port=53 -> dport: 1675 len=62 Payload: length = 54 000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 4D ...ETM - ------------------------------------------------------------------------------ #(1 - 1533542) [2001-05-30 00:09:38] DNS SPOOF query response with ttl IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15 hlen=5 TOS=0 dlen=82 ID=55817 flags=0 offset=0 TTL=59 chksum=62278 UDP: port=53 -> dport: 1675 len=62 Payload: length = 54 000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84- 010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 4D ...ETM -----BEGIN PGP SIGNATURE----- iD8DBQE7FZ1UtbyN5oN9H2YRApgGAJsEykxOkbIboso8DqN8hAoG5ZqM7ACeLw0T oz84kDQO7/ofEuMco5wkW9M= =uaoF -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with "DNS SPOOF" incidents R P G (May 30)
- Re: help with "DNS SPOOF" incidents Ralf Hildebrandt (May 31)