Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS zone transfer UDP false positives in 1.9.1?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Mar 2003 15:46:54 -0500
Well, this is true that you normally don't see a zone-transfer request in a UDP packet because it doesn't make much sense... that doesn't mean someone can't form such a request and send it however...
The rule itself is probably correctly labeled, as it looks like someone purposefully cloned the TCP rule to a UDP one. But whoever cloned the rule failed to consider how to do it "right".
If the rule wasn't FP-prone it would be great, as anyone doing a zone-transfer request in a UDP packet is very obviously up to no good. However this rule just isn't cut out for such use. 

At 02:33 PM 3/10/2003 -0600, Ken Connelly wrote:
zone trasnsfers are done via TCP, not UDP. normal dns lookups are done via UDP. this alert must be mislabeled. 

- ken

Matt Kettler wrote:
I've been getting some of these since my update to 1.9.1 from 1.9.0. It would appear the rule in question is FP prone... as I can't see why these domains would try a zone-transfer.. 

alert:[**] [1:1948:1] DNS zone transfer UDP [**]
alert-[Classification: Attempted Information Leak] [Priority: 2]
alert-03/10-13:44:02.130534 66.163.169.170:53 -> 192.168.50.2:53
alert-UDP TTL:53 TOS:0x0 ID:19498 IpLen:20 DgmLen:531
alert-Len: 511
alert-[Xref => arachnids 212][Xref => cve CAN-1999-0532]

ns2.yahoo.com doing a zone transfer.. from ME?? highly unlikely...
Looking at the offending packet, it's clearly a false, this is a query response with a CNAME. 

 tcpdump -vvx -r tcpdump.log.1047277830 host 66.163.169.170
13:44:02.130534 ns2.yahoo.com.domain > xanadu-int.evi-inc.com.domain:
[udp sum ok]
40192- q: rd.yahoo.com. 1/13/14 rd.yahoo.com. CNAME rd.yahoo.akadns.net. (503) (ttl 
53, id 19498)
                         4500 0213 4c2a 0000 3511 58b8 42a3 a9aa
                         c0a8 3202 0035 0035 01ff c5c2 9d00 8010
                         0001 0001 000d 000e 0272 6405 7961 686f
                         6f03 636f 6d00 0001 0001 c00c 0005 0001
                         0000 0708 0015 0272 6405 7961 686f 6f06
                         616b 6164 6e73 036e 6574 00c0 3a00 0200
                         0100 00fc 6700 1101 410c 4754 4c44 2d53
                         4552 5645 5253 c03a c03a 0002 0001 0000
                         fc67 0004 0147 c04d c03a 0002 0001 0000
                         fc67 0004 0148 c04d c03a 0002 0001 0000
                         fc67 0004 0143 c04d c03a 0002 0001 0000
                         fc67 0004 0149 c04d c03a 0002 0001 0000
                         fc67 0004 0142 c04d c03a 0002 0001 0000
                         fc67 0004 0144 c04d c03a 0002 0001 0000
                         fc67 0004 014c c04d c03a 0002 0001 0000
                         fc67 0004 0146 c04d c03a 0002 0001 0000
                         fc67 0004 014a c04d c03a 0002 0001 0000
                         fc67 0004 014b c04d c03a 0002 0001 0000
                         fc67 0004 0145 c04d c03a 0002 0001 0000
                         fc67 0004 014d c04d c04b 0001 0001 0000
                         fc67 0004 c005 061e c068 0001 0001 0000
                         fc67 0004 c02a 5d1e c078 0001 0001 0000
                         fc67 0004 c036 701e c088 0001 0001 0000
                         fc67 0004 c01a 5c1e c098 0001 0001 0000
                         fc67 0004 c02b ac1e c0a8 0001 0001 0000
                         fc67 0004 c021 0e1e c0b8 0001 0001 0000
                         fc67 0004 c01f 501e c0c8 0001 0001 0000
                         fc67 0004 c029 a21e c0d8 0001 0001 0000
                         fc67 0004 c023 331e c0e8 0001 0001 0000
                         fc67 0004 c030 4f1e c0f8 0001 0001 0000
                         fc67 0004 c034 b21e c108 0001 0001 0000
                         fc67 0004 c00c 5e1e c118 0001 0001 0000
                         fc67 0004 c037 531e 0000 2910 0000 0000
                         0000 00

Looking at the rule, I can see what it's alerting on:
dns.rules:alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)
Is it possible to add a "depth" limiter or a !content to this to try to reduce the FP's? 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
- Ken
===========================================================================
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services
University of Northern Iowa                     Cedar Falls, IA  50614-0121
email: Ken.Connelly () uni edu    phone: (319) 273-5850    fax: (319) 273-7373






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: