Snort mailing list archives
Re: DNS zone transfer?
From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 11 Jul 2001 10:34:02 -0700
At 8:02 PM +0200 7/4/01, Marek Gutkowski wrote:
I find it in my logs regularly. The first computer (initiating the connection) is a www/mail server, nothing to do with DNS, running under Linux. Second is a DNS server, using NT. It seems that the first one tries to download DNS zone hotmail.com! It doesn't make sense!07/04-06:24:06.179201 xxx.xxx.xxx.xxx:3211 -> xxx.xxx.xxx.xxx:53 TCP TTL:64 TOS:0x0 ID:16519 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xB3A4D61B Ack: 0x208246C Win: 0x7D78 TcpLen: 20 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 ....u#..).a...E. 0x0010: 00 47 40 87 40 00 40 06 B6 9B C3 74 DE 53 C3 74 .G@.@.@....t.S.t 0x0020: DE 51 0C 8B 00 35 B3 A4 D6 1B 02 08 24 6C 50 18 .Q...5......$lP. 0x0030: 7D 78 6E 93 00 00 00 1D 01 85 01 00 00 01 00 00 }xn............. 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .....hotmail.com> 0x0050: 00 00 FF 00 01 .....
This does not look like a zone transfer to me. You did not include the rule you were using to catch this, but this looks like it was caught using an older signature for a zone transfer. Check out this signature from arachNIDS:
alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns_dns-zone-transfer"; flags: A+; content: "|FC|"; offset: 13;)
This one *should* only trigger on actual zone transfers. In any case, you always need to follow up on alerts to see if the signature caught what it was supposed to and whether the context was malicious or not.
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* hoagland () SiliconDefense com *| |* http://www.silicondefense.com/ *| |* Silicon Defense - Technical Support for Snort *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS zone transfer? Marek Gutkowski (Jul 04)
- Re: DNS zone transfer? Kiira Triea (Jul 05)
- Re: DNS zone transfer? Blake Frantz (Jul 05)
- Re: DNS zone transfer? Marek Gutkowski (Jul 05)
- Re: DNS zone transfer? James Hoagland (Jul 11)
- Re: DNS zone transfer? Kiira Triea (Jul 05)