Snort mailing list archives
help with "DNS SPOOF" incidents
From: R P G <inittab () io jtan com>
Date: Wed, 30 May 2001 21:24:29 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi All,
I'm wondering if someone here can help me analyze what's going on with
this. My snort sensor has detected these "DNS SPOOF" packets over the
past couple of weeks. My server is "aaa.bbb.ccc.15" and my server's
configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2". The
snort rule that has kicked these off is as follows:
alert udp $EXTERNAL 53 -> $INTERNAL any (msg:"DNS SPOOF query response
with ttl: 1 min. and no authority"; content:"|81800001000100000000|";
content:"|c00c000100010000003c0004|";)
What could be happening here? Can someone shed some insight on this?
TIA
- --Bob
- ------------------------------------------------------------------------------
#(1 - 379452) [2001-05-06 01:03:41] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=51775 flags=0 offset=0 TTL=52 chksum=2578
UDP: port=53 -> dport: 1662 len=62
Payload: length = 54
000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D F~...........84-
010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 089.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 59 ...ETY
- ------------------------------------------------------------------------------
#(1 - 383336) [2001-05-09 01:08:17] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=46083 flags=0 offset=0 TTL=52 chksum=8270
UDP: port=53 -> dport: 1887 len=62
Payload: length = 54
000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 4D ...ETM
- ------------------------------------------------------------------------------
#(1 - 383335) [2001-05-09 01:08:16] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=4566 flags=0 offset=0 TTL=53 chksum=49530
UDP: port=53 -> dport: 1887 len=62
Payload: length = 54
000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 4D ...ETM
- ------------------------------------------------------------------------------
#(1 - 384900) [2001-05-14 01:04:39] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=18846 flags=0 offset=0 TTL=59 chksum=33714
UDP: port=53 -> dport: 1441 len=62
Payload: length = 54
000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 58 ...ETX
- ------------------------------------------------------------------------------
#(1 - 384899) [2001-05-14 01:04:38] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=60364 flags=0 offset=0 TTL=59 chksum=57732
UDP: port=53 -> dport: 1441 len=62
Payload: length = 54
000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 58 ...ETX
- ------------------------------------------------------------------------------
#(1 - 1533334) [2001-05-29 15:33:50] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=4084 flags=0 offset=0 TTL=59 chksum=48477
UDP: port=53 -> dport: 1675 len=62
Payload: length = 54
000 : DA 4F 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .O...........84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 58 ...ETX
- ------------------------------------------------------------------------------
#(1 - 1533544) [2001-05-30 00:09:38] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=55890 flags=0 offset=0 TTL=59 chksum=62205
UDP: port=53 -> dport: 1675 len=62
Payload: length = 54
000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 4D ...ETM
- ------------------------------------------------------------------------------
#(1 - 1533542) [2001-05-30 00:09:38] DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
hlen=5 TOS=0 dlen=82 ID=55817 flags=0 offset=0 TTL=59 chksum=62278
UDP: port=53 -> dport: 1675 len=62
Payload: length = 54
000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............<
030 : 00 04 CA 45 54 4D ...ETM
-----BEGIN PGP SIGNATURE-----
iD8DBQE7FZ1UtbyN5oN9H2YRApgGAJsEykxOkbIboso8DqN8hAoG5ZqM7ACeLw0T
oz84kDQO7/ofEuMco5wkW9M=
=uaoF
-----END PGP SIGNATURE-----
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with "DNS SPOOF" incidents R P G (May 30)
- Re: help with "DNS SPOOF" incidents Ralf Hildebrandt (May 31)