Snort mailing list archives
RE: DNS Zone Transfer False Positive
From: "Geoff Craig" <GCraig () quilogy com>
Date: Wed, 26 Mar 2003 16:02:36 -0600
Hey Ron, This RFC Draft will assist you in understanding what your clients are doing. http://ops.ietf.org/lists/namedroppers/namedroppers.199x/msg03939.html and this MS article (which of course is so long that it does the mandatory Microsoft URL wrap) http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios /scenarios/dhcp02_use_dynupdate_secdynupdate.asp#dhcp02_howitworks Geoff -----Original Message----- From: Ron Shuck [mailto:rshuck () Buchanan com] Sent: Wednesday, March 26, 2003 12:47 PM To: James Hoagland; snort-users () lists sourceforge net Hi, Using 1.9.0 still, and it was rev 6 of SID:255. -- No lectures please, I disabled RPC until I can upgrade -- ;-) I wasn't sure what the significance of the TKEY name was, so I obfuscated it along with the IP/Checksums. 08:02:03.948630 MY.NET.113.149.2856 > MY.NET.100.21.domain: P [tcp sum ok] 3389545719:3389545992(273) ack 3366544751 win 17267 (DF) (ttl 127, id 13586, len 313) 0x0000 4500 0139 3512 4000 7f06 5426 0000 7195 E..95.@.......q. 0x0010 0000 6415 0b28 0035 ca08 5cf7 c8a9 656f ..d..(.5..\...eo 0x0020 5018 4373 345f 0000 010f cf88 0000 0001 P.Cs............ 0x0030 0001 0000 0001 0000 0000 0000 0000 0000 .......XXXXXXXXX 0x0040 3935 342d 3300 00f9 0001 0e00 0000 0000 954-3......XXXXX 0x0050 0000 0000 3935 342d 3300 00f9 00ff 0000 XXXX954-3....... 0x0060 0000 0088 0367 7373 096d 6963 726f 736f .....gss.microso 0x0070 6674 0363 6f6d 003e 6360 403e 64b1 c000 ft.com.>c`@>d... 0x0080 0300 0000 654e 544c 4d53 5350 0003 0000 ....eNTLMSSP.... 0x0090 0001 0001 0054 0000 0000 0000 0055 0000 .....T.......U.. 0x00a0 0000 0000 0040 0000 0000 0000 0040 0000 .....@.......@.. 0x00b0 0014 0014 0040 0000 0010 0010 0055 0000 .....@.......U.. 0x00c0 0015 8a88 e043 0045 004e 002d 0031 0030 .....C.E.N.-.1.0 0x00d0 0037 002d 0031 0033 0000 a8bf 4a19 6e0a .7.-.1.3....J.n. 0x00e0 6684 44f3 e21c 2b68 ed4c 0000 0e00 0000 f.D...+h.L...XXX 0x00f0 0000 0000 0000 3935 342d 3300 00fa 00ff XXXXXX954-3..... 0x0100 0000 0000 0033 0367 7373 096d 6963 726f .....3.gss.micro 0x0110 736f 6674 0363 6f6d 0000 003e 6360 408c soft.com...>c`@. 0x0120 a000 1001 0000 00fc 88a8 0101 288c b400 ............(... 0x0130 0000 00cf 8800 0000 00 ......... Best Regards, Ron Shuck, CISSP - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org -----Original Message----- From: James Hoagland [mailto:jim () SiliconDefense com] Sent: Wednesday, March 26, 2003 10:46 AM To: Ron Shuck; snort-users () lists sourceforge net Subject: Re: [Snort-users] DNS Zone Transfer False Positive Ron, What exact snort version are you using? Also, any change we can get a hex dump of the TCP payload? E.g., snort's text pretty-printing or tcpdump -X. Thanks, Jim At 10:25 AM -0600 3/26/03, Ron Shuck wrote:
Hi, I have been getting a few DNS Zone Transfer false positives. They originate from 2K or XP workstations. When I examined a little closer, it appeared to be a DNS query containing a TSIG. The signature portion of the TSIG additional record contains the content string from the snort signature |00 00 FC|. Anyone have any ideas of how to eliminate this type of false positive from the signature? I would also appreciate any explanation what the heck this traffic does? I am just looking into rfc2931 and 2535. Transmission Control Protocol, Src Port: 2856 (2856), Dst Port: domain (53), Seq: 3389545719, Ack: 3366544751, Len: 273 Domain Name System (query) Length: 271 Transaction ID: 0xcf88 Flags: 0x0000 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 1 Queries 9XXXXXXXXXXX-3: type TKEY, class inet Name: 9XXXXXXXXXXX-3 Type: Transaction Key Class: inet Answers 9XXXXXXXXXXX-3: type TKEY, class any Name: 9XXXXXXXXXXX-3 Type: Transaction Key Class: any Time to live: 0 time Data length: 136 Algorithm name: gss.microsoft.com Signature inception: Mar 3, 2003 08:01:36.000000000 Signature expiration: Mar 4, 2003 08:01:36.000000000 Mode: GSSAPI Error: No error Key Other Additional records 9XXXXXXXXXXX-3: type TSIG, class any Name: 9XXXXXXXXXXX-3 Type: Transaction Signature Class: any Time to live: 0 time Data length: 51 Algorithm name: gss.microsoft.com Time signed: Mar 3, 2003 08:01:36.000000000 Fudge: 36000 Signature Original id: 53128 Error: No error Other Best Regards, Ron Shuck, CISSP - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Attachment converted: Shu:smime 15.p7s (????/----) (00120A70)
-- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: The Cyberwar Defense Company --- *| |* jim () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS Zone Transfer False Positive Ron Shuck (Mar 26)
- Re: DNS Zone Transfer False Positive James Hoagland (Mar 26)
- <Possible follow-ups>
- RE: DNS Zone Transfer False Positive Geoff Craig (Mar 26)
- RE: DNS Zone Transfer False Positive Ron Shuck (Mar 26)
- RE: DNS Zone Transfer False Positive James Hoagland (Mar 27)
- RE: DNS Zone Transfer False Positive Geoff Craig (Mar 26)