Snort mailing list archives
RE: DNS Help/ SID 1948
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Wed, 7 May 2003 17:39:06 -0500 (CDT)
Uhh, Don't DNS zone transfers use TCP? On Thu, 8 May 2003, Vanish Pattni (DSL AK) wrote:
we get a few of these everyday. However, at first we checked the dns server logs to see if a zone transfer had indeed happened but that was not the case. Finally we settled down to the fact that udp is connectionless and the packets could easily be spoofed. TCP zone transfers have to come from a valid ip address and that is what you really have to look out for. Check your DNS server logs for any uncertainty. cheers Vanish -----Original Message----- From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil] Sent: Thursday, May 08, 2003 6:45 AM To: snort-users () lists sourceforge net Subject: [Snort-users] DNS Help/ SID 1948 Is the alert below really a DNS Zone transfer? If not, what is it? ---------------------------------------------------------------------------- -- #(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532] [icat/CAN-1999-0532] [snort/1948] DNS zone transfer UDP IPv4: 207.115.64.2 -> my.home.net hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810 UDP: port=53 -> dport: 53 len=150 Payload: length = 142 000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36 TP...........116 010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31 .112/28.135.18.1 020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00 2.in-addr.arpa.. 030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03 ................ 040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D ns2.isomedia.com 050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73 ..............ns 060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF 1.C.]......*0... 070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF s@..?......*0... 080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00 s@...)........ and here's the sig that triggered it: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) Your thoughts are appreciated... v/r, Benjamin Everist
--------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS Help/ SID 1948 Everist, Benjamin S. (NASWI) (May 07)
- <Possible follow-ups>
- RE: DNS Help/ SID 1948 Vanish Pattni (DSL AK) (May 07)
- RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
- Re: DNS Help/ SID 1948 Mathias Gygax (May 07)
- RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
- RE: DNS Help/ SID 1948 Joesph Bowling (May 07)