Snort mailing list archives

RE: DNS zone transfers

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Thu, 20 Sep 2001 22:26:10 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If there were clear text in the packets, I'd say someone was using
nslookup against a server on the outside. However, since the content
is not clear text, it could very well be (gasp) a trojan tunneling on
port 53....

Regards,
Frank

-----Original Message-----
From: john.ruff () us abb com [mailto:john.ruff () us abb com]
Sent: Thursday, September 20, 2001 1:05 PM

The source IPs are machines inside my network but they are 
not DNS servers.  Any
idea what these alerts are saying?

From "alert_full" file:

[**] [1:255:1] DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 3]
09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53
TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x514916CA  Ack: 0x5A2FF1A1  Win: 0x4506  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS212]

[...Payload of above...]
09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53
TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x514916CA  Ack: 0x5A2FF1A1  Win: 0x4506  TcpLen: 20
2A 01 28 92 01 08 00 00 00 01 00 06 01 00 58 7A  *.(...........Xz
A4 22 B1 4E B0 74 D8 97 9E 11 E7 72 E5 BC 4D 2C  .".N.t.....r..M,
E2 FA 2D C2 C0 78 64 46 F4 B8 0A AF 63 9C CE FD  ..-..xdF....c...
7F F3 EF 39 91 30 BE 12 47 54 0F 1C 70 59 33 EA  ...9.0..GT..pY3.
31 5A 2E FD 12 57 FC CD E0 AD 95 14 AC 5C 0B 9C  1Z...W.......\..
25 A4 86 A1 35 CA 92 11 1A C8 AC D1 D5 7C DA 13  %...5........|..
E7 0B A8 85 B3 DC 99 11 34 79 83 A8 2C 4D 51 CE  ........4y..,MQ.
12 F9 85 3D 7C C3 84 80 5A 8C 0E F6 C6 E8 95 03  ...=|...Z.......
55 F0 F3 7E 5C 46 87 EF 21 A9 8C 71 A1 9A 1C AD  U..~\F..!..q....
6A 90 11 BF EA 40 63 AD 05 C5 B7 6E 14 09 49 06  j....@c....n..I.
B9 81 1F 87 CC 6B 9C FA 2B 0A E7 AC 1E 38 BD 5C  .....k..+....8.\
77 AE 03 B8 54 53 50 F3 4F 09 F6 4D 38 04 C5 A8  w...TSP.O..M8...
92 A2 56 EE 71 48 61 E0 40 18 F6 73 E2 28 2D E7  ..V.qHa.@..s.(-.
Snort received signal 3, exiting
00 00 A4 0C BF 47 37 A1 F8 F3 DE 2C 54 17 40 B8  .....G7....,T.@.
1B 5D 49 31 98 91 FF 93 83 FE 16 5C 98 2D 4E 69  .]I1.......\.-Ni
0F 3A F1 D0 40 30 E9 95 DD 6C 26 CA 70 E4 7F D3  .:..@0...l&.p...
EF F4 0C C7 B8 21 02 C2 6A BE 36 84 93 D9        .....!..j.6...


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBO6qzUpytSsEygtEFEQIwYgCfQ15cRZyrG6jxdQ796StOArVvQhsAoJYc
aMVN2oxt6FLetLSofl8X0qS3
=IBS7
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS zone transfers john . ruff (Sep 20)
- <Possible follow-ups>
- RE: DNS zone transfers Frank Knobbe (Sep 20)