Snort mailing list archives
RE: DNS Help/ SID 1948
From: "Vanish Pattni (DSL AK)" <VanishP () datacom co nz>
Date: Thu, 8 May 2003 09:43:53 +1200
we get a few of these everyday. However, at first we checked the dns server logs to see if a zone transfer had indeed happened but that was not the case. Finally we settled down to the fact that udp is connectionless and the packets could easily be spoofed. TCP zone transfers have to come from a valid ip address and that is what you really have to look out for. Check your DNS server logs for any uncertainty. cheers Vanish -----Original Message----- From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil] Sent: Thursday, May 08, 2003 6:45 AM To: snort-users () lists sourceforge net Subject: [Snort-users] DNS Help/ SID 1948 Is the alert below really a DNS Zone transfer? If not, what is it? ---------------------------------------------------------------------------- -- #(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532] [icat/CAN-1999-0532] [snort/1948] DNS zone transfer UDP IPv4: 207.115.64.2 -> my.home.net hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810 UDP: port=53 -> dport: 53 len=150 Payload: length = 142 000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36 TP...........116 010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31 .112/28.135.18.1 020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00 2.in-addr.arpa.. 030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03 ................ 040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D ns2.isomedia.com 050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73 ..............ns 060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF 1.C.]......*0... 070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF s@..?......*0... 080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00 s@...)........ and here's the sig that triggered it: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) Your thoughts are appreciated... v/r, Benjamin Everist
Current thread:
- DNS Help/ SID 1948 Everist, Benjamin S. (NASWI) (May 07)
- <Possible follow-ups>
- RE: DNS Help/ SID 1948 Vanish Pattni (DSL AK) (May 07)
- RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
- Re: DNS Help/ SID 1948 Mathias Gygax (May 07)
- RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
- RE: DNS Help/ SID 1948 Joesph Bowling (May 07)