Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Zone Transfer False Positive

From: James Hoagland <jim () SiliconDefense com>
Date: Wed, 26 Mar 2003 08:45:39 -0800
Ron,

What exact snort version are you using?
Also, any change we can get a hex dump of the TCP payload? E.g., snort's text pretty-printing or tcpdump -X. 

Thanks,

  Jim


At 10:25 AM -0600 3/26/03, Ron Shuck wrote:

Hi,

I have been getting a few DNS Zone Transfer false positives. They
originate from 2K or XP workstations.
When I examined a little closer, it appeared to be a DNS query
containing a TSIG. The signature
portion of the TSIG additional record contains the content string from
the snort signature |00 00 FC|.

Anyone have any ideas of how to eliminate this type of false positive
from the signature? I would also appreciate
any explanation what the heck this traffic does? I am just looking into
rfc2931 and 2535.

Transmission Control Protocol, Src Port: 2856 (2856), Dst Port: domain
(53), Seq: 3389545719, Ack: 3366544751, Len: 273
Domain Name System (query)
    Length: 271
    Transaction ID: 0xcf88
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query
recursively
        .... .... ...0 .... = Non-authenticated data OK:
Non-authenticated data is unacceptable
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
        9XXXXXXXXXXX-3: type TKEY, class inet
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Key
            Class: inet
    Answers
        9XXXXXXXXXXX-3: type TKEY, class any
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Key
            Class: any
            Time to live: 0 time
            Data length: 136
            Algorithm name: gss.microsoft.com
            Signature inception: Mar  3, 2003 08:01:36.000000000
            Signature expiration: Mar  4, 2003 08:01:36.000000000
            Mode: GSSAPI
            Error: No error
            Key
            Other
    Additional records
        9XXXXXXXXXXX-3: type TSIG, class any
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Signature
            Class: any
            Time to live: 0 time
            Data length: 51
            Algorithm name: gss.microsoft.com
            Time signed: Mar  3, 2003 08:01:36.000000000
            Fudge: 36000
            Signature
            Original id: 53128
            Error: No error
            Other


Best Regards,


Ron Shuck, CISSP - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
http://www.buchanan.com
http://www.isc2.org

Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"
Content-Disposition: attachment;
        filename="smime.p7s"

Attachment converted: Shu:smime 15.p7s (????/----) (00120A70)



--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: