Snort mailing list archives
Re: Misc - Zone Transfer Fale Positives
From: Paul Asadoorian <paul.com () home com>
Date: Mon, 09 Jul 2001 12:14:19 -0400
Sure:#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Trans fer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: 2; depth: 16;)
Snort Information: -*> Snort! <*- Version 1.7 Running on: SunOS <hostname> 5.8 Generic sun4u sparc SUNW,Ultra-5_10 Martin Roesch wrote:
Can you give us the SID of the rule (or the rule itself) that's firing? -Marty Paul Asadoorian wrote:All: I have been getting a large number of DNS zone transfers. After further investigation I noticed that my mail server was triggering this rule every minute or so with most of the packets looking like this: 07/09-10:32:39.885532 MY.DNS.SERVER.9:53 -> MY.MAIL.SERVER.202:38356 TCP TTL:63 TOS:0x0 ID:37893 IpLen:20 DgmLen:856 DF ***AP*** Seq: 0xE82EEF59 Ack: 0xCC2A0F95 Win: 0x60F4 TcpLen: 20 03 2E 9F 90 81 80 00 01 00 17 00 05 00 11 07 68 ...............h 6F 74 6D 61 69 6C 03 63 6F 6D 00 00 FF 00 01 C0 otmail.com...... 0C 00 02 00 01 00 00 0B 08 00 06 03 6E 73 31 C0 ............ns1. 0C C0 0C 00 02 00 01 00 00 0B 08 00 06 03 6E 73 ..............ns 32 C0 0C C0 0C 00 02 00 01 00 00 0B 08 00 06 03 2............... 6E 73 33 C0 0C C0 0C 00 02 00 01 00 00 0B 08 00 ns3............. 06 03 6E 73 34 C0 0C C0 0C 00 02 00 01 00 00 0B ..ns4........... 08 00 0C 03 6E 73 31 05 6A 73 6E 65 74 C0 14 C0 ....ns1.jsnet... 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2C 07 C0 ...........@.,.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2D 07 C0 ...........@.-.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 34 07 C0 ...........@.4.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 35 07 C0 ...........@.5.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 36 07 C0 ...........@.6.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2B 07 C0 ...........@.+.. 0C 00 0F 00 01 00 00 0B 0B 00 0D 00 0A 03 6D 63 ..............mc 32 04 6C 61 77 35 C0 0C C0 0C 00 0F 00 01 00 00 2.law5.......... 0B 0B 00 0E 00 0A 03 6D 63 31 05 6C 61 77 31 33 .......mc1.law13 C0 0C C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 32 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B .mc2............ 00 08 00 0A 03 6D 63 33 C1 08 C0 0C 00 0F 00 01 .....mc3........ 00 00 0B 0B 00 08 00 0A 03 6D 63 34 C1 08 C0 0C .........mc4.... 00 0F 00 01 00 00 0B 0B 00 08 00 0A 03 6D 63 35 .............mc5 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 36 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B .mc6............ 00 08 00 0A 03 6D 63 34 C0 EF C0 0C 00 0F 00 01 .....mc4........ 00 00 0B 0B 00 08 00 0A 03 6D 63 35 C0 EF C0 0C .........mc5.... 00 0F 00 01 00 00 0B 0B 00 08 00 0A 03 6D 63 36 .............mc6 C0 EF C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 37 C0 EF C0 0C 00 0F 00 01 00 00 0B 0B .mc7............ 00 08 00 0A 03 6D 63 31 C0 EF C0 0C 00 02 00 01 .....mc1........ 00 00 0B 08 00 02 C0 29 C0 0C 00 02 00 01 00 00 .......)........ 0B 08 00 02 C0 3B C0 0C 00 02 00 01 00 00 0B 08 .....;.......... 00 02 C0 4D C0 0C 00 02 00 01 00 00 0B 08 00 02 ...M............ C0 5F C0 0C 00 02 00 01 00 00 0B 08 00 02 C0 71 ._.............q C0 29 00 01 00 01 00 00 08 4C 00 04 D8 C8 CE 8C .).......L...... C0 3B 00 01 00 01 00 00 08 4C 00 04 D8 C8 CE 8B .;.......L...... C0 4D 00 01 00 01 00 00 08 4C 00 04 D1 B9 82 44 .M.......L.....D C0 5F 00 01 00 01 00 00 07 D0 00 04 40 04 1D 18 ._..........@... C0 71 00 01 00 01 00 00 05 BA 00 04 D1 01 71 03 .q............q. C0 EB 00 01 00 01 00 00 01 42 00 04 40 04 37 87 .........B..@.7. C1 04 00 01 00 01 00 00 01 42 00 04 40 04 31 07 .........B..@.1. C1 1E 00 01 00 01 00 00 01 42 00 04 40 04 31 47 .........B..@.1G C1 32 00 01 00 01 00 00 01 42 00 04 40 04 31 87 .2.......B..@.1. C1 46 00 01 00 01 00 00 01 42 00 04 40 04 31 C7 .F.......B..@.1. C1 5A 00 01 00 01 00 00 01 42 00 04 40 04 32 07 .Z.......B..@.2. C1 6E 00 01 00 01 00 00 01 42 00 04 40 04 32 47 .n.......B..@.2G C1 82 00 01 00 01 00 00 01 42 00 04 40 04 38 87 .........B..@.8. C1 96 00 01 00 01 00 00 01 42 00 04 40 04 38 C7 .........B..@.8. C1 AA 00 01 00 01 00 00 01 18 00 04 40 04 37 07 ............@.7. C1 BE 00 01 00 01 00 00 01 42 00 04 40 04 2A 07 .........B..@.*. C1 D2 00 01 00 01 00 00 01 42 00 04 40 04 37 47 .........B..@.7G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Is this normal? It just started happending over th eweekend and the same rule has been in place for at least a week now. I have commented out the rule for now but would really like to run with it without having this high number of false positives. Are these really false positives or just large DNS queries (>484 bytes) that are triggering tcp port 53? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Misc - Zone Transfer Fale Positives Paul Asadoorian (Jul 09)
- Message not available
- Re: Misc - Zone Transfer Fale Positives Paul Asadoorian (Jul 09)
- Message not available