Snort mailing list archives
RE: DNS zone transfers
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Thu, 20 Sep 2001 22:26:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If there were clear text in the packets, I'd say someone was using nslookup against a server on the outside. However, since the content is not clear text, it could very well be (gasp) a trojan tunneling on port 53.... Regards, Frank
-----Original Message----- From: john.ruff () us abb com [mailto:john.ruff () us abb com] Sent: Thursday, September 20, 2001 1:05 PM The source IPs are machines inside my network but they are not DNS servers. Any idea what these alerts are saying? From "alert_full" file: [**] [1:255:1] DNS zone transfer [**] [Classification: Attempted Information Leak] [Priority: 3] 09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53 TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF ***AP*** Seq: 0x514916CA Ack: 0x5A2FF1A1 Win: 0x4506 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS212] [...Payload of above...] 09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53 TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF ***AP*** Seq: 0x514916CA Ack: 0x5A2FF1A1 Win: 0x4506 TcpLen: 20 2A 01 28 92 01 08 00 00 00 01 00 06 01 00 58 7A *.(...........Xz A4 22 B1 4E B0 74 D8 97 9E 11 E7 72 E5 BC 4D 2C .".N.t.....r..M, E2 FA 2D C2 C0 78 64 46 F4 B8 0A AF 63 9C CE FD ..-..xdF....c... 7F F3 EF 39 91 30 BE 12 47 54 0F 1C 70 59 33 EA ...9.0..GT..pY3. 31 5A 2E FD 12 57 FC CD E0 AD 95 14 AC 5C 0B 9C 1Z...W.......\.. 25 A4 86 A1 35 CA 92 11 1A C8 AC D1 D5 7C DA 13 %...5........|.. E7 0B A8 85 B3 DC 99 11 34 79 83 A8 2C 4D 51 CE ........4y..,MQ. 12 F9 85 3D 7C C3 84 80 5A 8C 0E F6 C6 E8 95 03 ...=|...Z....... 55 F0 F3 7E 5C 46 87 EF 21 A9 8C 71 A1 9A 1C AD U..~\F..!..q.... 6A 90 11 BF EA 40 63 AD 05 C5 B7 6E 14 09 49 06 j....@c....n..I. B9 81 1F 87 CC 6B 9C FA 2B 0A E7 AC 1E 38 BD 5C .....k..+....8.\ 77 AE 03 B8 54 53 50 F3 4F 09 F6 4D 38 04 C5 A8 w...TSP.O..M8... 92 A2 56 EE 71 48 61 E0 40 18 F6 73 E2 28 2D E7 ..V.qHa.@..s.(-. Snort received signal 3, exiting 00 00 A4 0C BF 47 37 A1 F8 F3 DE 2C 54 17 40 B8 .....G7....,T.@. 1B 5D 49 31 98 91 FF 93 83 FE 16 5C 98 2D 4E 69 .]I1.......\.-Ni 0F 3A F1 D0 40 30 E9 95 DD 6C 26 CA 70 E4 7F D3 .:..@0...l&.p... EF F4 0C C7 B8 21 02 C2 6A BE 36 84 93 D9 .....!..j.6...
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBO6qzUpytSsEygtEFEQIwYgCfQ15cRZyrG6jxdQ796StOArVvQhsAoJYc aMVN2oxt6FLetLSofl8X0qS3 =IBS7 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS zone transfers john . ruff (Sep 20)
- <Possible follow-ups>
- RE: DNS zone transfers Frank Knobbe (Sep 20)