Snort mailing list archives
DNS zone transfer?
From: "Marek Gutkowski" <hobbit () maxus com pl>
Date: Wed, 4 Jul 2001 20:02:06 +0200
I find it in my logs regularly. The first computer (initiating the connection) is a www/mail server, nothing to do with DNS, running under Linux. Second is a DNS server, using NT. It seems that the first one tries to download DNS zone hotmail.com! It doesn't make sense!
07/04-06:24:06.179201 xxx.xxx.xxx.xxx:3211 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:16519 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xB3A4D61B Ack: 0x208246C Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 40 87 40 00 40 06 B6 9B C3 74 DE 53 C3 74 .G@.@.@....t.S.t 0x0020: DE 51 0C 8B 00 35 B3 A4 D6 1B 02 08 24 6C 50 18 .Q...5......$lP. 0x0030: 7D 78 6E 93 00 00 00 1D 01 85 01 00 00 01 00 00 }xn............. 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/04-06:34:31.757896 xxx.xxx.xxx.xxx:3212 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:16552 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xDA44BE0D Ack: 0x208249F Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 40 A8 40 00 40 06 B6 7A C3 74 DE 53 C3 74 .G@.@.@..z.t.S.t 0x0020: DE 51 0C 8C 00 35 DA 44 BE 0D 02 08 24 9F 50 18 .Q...5.D....$.P. 0x0030: 7D 78 22 DF 00 00 00 1D 3E 73 01 00 00 01 00 00 }x".....>s...... 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/04-07:13:48.116910 xxx.xxx.xxx.xxx:3214 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:17578 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x6E0B8E48 Ack: 0x20824E7 Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 44 AA 40 00 40 06 B2 78 C3 74 DE 53 C3 74 .GD.@.@..x.t.S.t 0x0020: DE 51 0C 8E 00 35 6E 0B 8E 48 02 08 24 E7 50 18 .Q...5n..H..$.P. 0x0030: 7D 78 11 8D 00 00 00 1D EB 79 01 00 00 01 00 00 }x.......y...... 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/04-07:20:40.328335 xxx.xxx.xxx.xxx:3215 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:17608 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x88D9AF15 Ack: 0x2082517 Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 44 C8 40 00 40 06 B2 5A C3 74 DE 53 C3 74 .GD.@.@..Z.t.S.t 0x0020: DE 51 0C 8F 00 35 88 D9 AF 15 02 08 25 17 50 18 .Q...5......%.P. 0x0030: 7D 78 FF A0 00 00 00 1D C1 99 01 00 00 01 00 00 }x.............. 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/04-07:31:25.408384 xxx.xxx.xxx.xxx:3217 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:17668 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xB1169A9B Ack: 0x2082550 Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 45 04 40 00 40 06 B2 1E C3 74 DE 53 C3 74 .GE.@.@....t.S.t 0x0020: DE 51 0C 91 00 35 B1 16 9A 9B 02 08 25 50 50 18 .Q...5......%PP. 0x0030: 7D 78 D6 07 00 00 00 1D D7 34 01 00 00 01 00 00 }x.......4...... 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/04-07:31:28.392245 xxx.xxx.xxx.xxx:3218 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:17672 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xB1EA8AE0 Ack: 0x2082554 Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 45 08 40 00 40 06 B2 1A C3 74 DE 53 C3 74 .GE.@.@....t.S.t 0x0020: DE 51 0C 92 00 35 B1 EA 8A E0 02 08 25 54 50 18 .Q...5......%TP. 0x0030: 7D 78 CB 65 00 00 00 1D F0 B8 01 00 00 01 00 00 }x.e............ 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 ..... 0x0020: DE 51 0C E3 00 35 DE 38 A4 77 02 37 7E BD 50 18 .Q...5.8.w.7~.P. 0x0030: 7D 78 FD 92 00 00 00 1D 1E BD 01 00 00 01 00 00 }x.............. 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com 0x0050: 00 00 FF 00 01 .....
I've got more :) Can anybody enlighten me? Thanks Hobbit _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS zone transfer? Marek Gutkowski (Jul 04)
- Re: DNS zone transfer? Kiira Triea (Jul 05)
- Re: DNS zone transfer? Blake Frantz (Jul 05)
- Re: DNS zone transfer? Marek Gutkowski (Jul 05)
- Re: DNS zone transfer? James Hoagland (Jul 11)
- Re: DNS zone transfer? Kiira Triea (Jul 05)