Snort mailing list archives

Re: help with "DNS SPOOF" incidents

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Thu, 31 May 2001 22:40:37 +0200

On Wed, May 30, 2001 at 09:24:29PM -0400, R P G wrote:

Hi All,

I'm wondering if someone here can help me analyze what's going on with
this.  My snort sensor has detected these "DNS SPOOF" packets over the
past couple of weeks.  My server is "aaa.bbb.ccc.15" and my server's
configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2".  The
snort rule that has kicked these off is as follows:


Maybe somebody is querying domains with a really low TTL? S.th. like myip.net?

000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   F~...........84-
010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   089.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............&lt;
030 : 00 04 CA 45 54 59                                 ...ETY


% dig  84-089.davnet.com.hk

;; ANSWER SECTION:
84-089.davnet.com.hk.   60      IN      A       202.69.84.89

Yup, that's it.
-- 
ralf.hildebrandt () innominate com                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

help with "DNS SPOOF" incidents R P G (May 30)
- Re: help with "DNS SPOOF" incidents Ralf Hildebrandt (May 31)