Snort mailing list archives

Re: DNS zone transfer?

From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 11 Jul 2001 10:34:02 -0700

At 8:02 PM +0200 7/4/01, Marek Gutkowski wrote:

I find it in my logs regularly. The first computer (initiating the
connection) is a www/mail server, nothing to do with DNS, running under
Linux.
Second is a DNS server, using NT.
It seems that the first one tries to download DNS zone hotmail.com! It
doesn't make sense!

 07/04-06:24:06.179201 xxx.xxx.xxx.xxx:3211 -> xxx.xxx.xxx.xxx:53
 TCP TTL:64 TOS:0x0 ID:16519 IpLen:20 DgmLen:71 DF
 ***AP*** Seq: 0xB3A4D61B  Ack: 0x208246C  Win: 0x7D78  TcpLen: 20
 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00  ....u#..).a...E.
 0x0010: 00 47 40 87 40 00 40 06 B6 9B C3 74 DE 53 C3 74  .G@.@.@....t.S.t
 0x0020: DE 51 0C 8B 00 35 B3 A4 D6 1B 02 08 24 6C 50 18  .Q...5......$lP.
 0x0030: 7D 78 6E 93 00 00 00 1D 01 85 01 00 00 01 00 00  }xn.............
 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D  .....hotmail.com

 > 0x0050: 00 00 FF 00 01                                   .....

This does not look like a zone transfer to me. You did not includethe rule you were using to catch this, but this looks like it wascaught using an older signature for a zone transfer. Check out thissignature from arachNIDS:

alert TCP $EXTERNAL any -> $INTERNAL 53 (msg:"IDS212/dns_dns-zone-transfer"; flags: A+; content: "|FC|"; offset:13;)

This one *should* only trigger on actual zone transfers. In anycase, you always need to follow up on alerts to see if the signaturecaught what it was supposed to and whether the context was maliciousor not.


Best regards,

  Jim
--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS zone transfer? Marek Gutkowski (Jul 04)
- Re: DNS zone transfer? Kiira Triea (Jul 05)
  - Re: DNS zone transfer? Blake Frantz (Jul 05)
  - Re: DNS zone transfer? Marek Gutkowski (Jul 05)
- Re: DNS zone transfer? James Hoagland (Jul 11)