Snort mailing list archives

RE: DNS Zone Transfer False Positive

From: "Geoff Craig" <GCraig () quilogy com>
Date: Wed, 26 Mar 2003 16:02:36 -0600

Hey Ron,

This RFC Draft will assist you in understanding what your clients are
doing.

http://ops.ietf.org/lists/namedroppers/namedroppers.199x/msg03939.html

and this MS article (which of course is so long that it does the
mandatory Microsoft URL wrap)

http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios
/scenarios/dhcp02_use_dynupdate_secdynupdate.asp#dhcp02_howitworks

Geoff

-----Original Message-----
From: Ron Shuck [mailto:rshuck () Buchanan com] 
Sent: Wednesday, March 26, 2003 12:47 PM
To: James Hoagland; snort-users () lists sourceforge net

Hi,

Using 1.9.0 still, and it was rev 6 of SID:255. -- No lectures please, I
disabled RPC until I can upgrade -- ;-)
I wasn't sure what the significance of the TKEY name was, so I
obfuscated it along with the IP/Checksums.

08:02:03.948630 MY.NET.113.149.2856 > MY.NET.100.21.domain: P [tcp sum
ok] 3389545719:3389545992(273) ack 3366544751 win 17267 (DF) (ttl 127,
id 13586, len 313)
0x0000   4500 0139 3512 4000 7f06 5426 0000 7195        E..95.@.......q.
0x0010   0000 6415 0b28 0035 ca08 5cf7 c8a9 656f        ..d..(.5..\...eo
0x0020   5018 4373 345f 0000 010f cf88 0000 0001        P.Cs............
0x0030   0001 0000 0001 0000 0000 0000 0000 0000        .......XXXXXXXXX
0x0040   3935 342d 3300 00f9 0001 0e00 0000 0000        954-3......XXXXX
0x0050   0000 0000 3935 342d 3300 00f9 00ff 0000        XXXX954-3.......
0x0060   0000 0088 0367 7373 096d 6963 726f 736f        .....gss.microso
0x0070   6674 0363 6f6d 003e 6360 403e 64b1 c000        ft.com.>c`@>d...
0x0080   0300 0000 654e 544c 4d53 5350 0003 0000        ....eNTLMSSP....
0x0090   0001 0001 0054 0000 0000 0000 0055 0000        .....T.......U..
0x00a0   0000 0000 0040 0000 0000 0000 0040 0000        .....@.......@..
0x00b0   0014 0014 0040 0000 0010 0010 0055 0000        .....@.......U..
0x00c0   0015 8a88 e043 0045 004e 002d 0031 0030        .....C.E.N.-.1.0
0x00d0   0037 002d 0031 0033 0000 a8bf 4a19 6e0a        .7.-.1.3....J.n.
0x00e0   6684 44f3 e21c 2b68 ed4c 0000 0e00 0000        f.D...+h.L...XXX
0x00f0   0000 0000 0000 3935 342d 3300 00fa 00ff        XXXXXX954-3.....
0x0100   0000 0000 0033 0367 7373 096d 6963 726f        .....3.gss.micro
0x0110   736f 6674 0363 6f6d 0000 003e 6360 408c        soft.com...>c`@.
0x0120   a000 1001 0000 00fc 88a8 0101 288c b400        ............(...
0x0130   0000 00cf 8800 0000 00                         .........

Best Regards,

Ron Shuck, CISSP - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org 

-----Original Message-----
From: James Hoagland [mailto:jim () SiliconDefense com] 
Sent: Wednesday, March 26, 2003 10:46 AM
To: Ron Shuck; snort-users () lists sourceforge net
Subject: Re: [Snort-users] DNS Zone Transfer False Positive


Ron,

What exact snort version are you using?

Also, any change we can get a hex dump of the TCP payload?  E.g., 
snort's text pretty-printing or tcpdump -X.

Thanks,

   Jim


At 10:25 AM -0600 3/26/03, Ron Shuck wrote:

Hi,

I have been getting a few DNS Zone Transfer false positives. They 
originate from 2K or XP workstations. When I examined a little closer, 
it appeared to be a DNS query containing a TSIG. The signature
portion of the TSIG additional record contains the content string from
the snort signature |00 00 FC|.

Anyone have any ideas of how to eliminate this type of false positive 
from the signature? I would also appreciate any explanation what the 
heck this traffic does? I am just looking into rfc2931 and 2535.

Transmission Control Protocol, Src Port: 2856 (2856), Dst Port: domain 
(53), Seq: 3389545719, Ack: 3366544751, Len: 273 Domain Name System 
(query)
    Length: 271
    Transaction ID: 0xcf88
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query 
recursively
        .... .... ...0 .... = Non-authenticated data OK: 
Non-authenticated data is unacceptable
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
        9XXXXXXXXXXX-3: type TKEY, class inet
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Key
            Class: inet
    Answers
        9XXXXXXXXXXX-3: type TKEY, class any
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Key
            Class: any
            Time to live: 0 time
            Data length: 136
            Algorithm name: gss.microsoft.com
            Signature inception: Mar  3, 2003 08:01:36.000000000
            Signature expiration: Mar  4, 2003 08:01:36.000000000
            Mode: GSSAPI
            Error: No error
            Key
            Other
    Additional records
        9XXXXXXXXXXX-3: type TSIG, class any
            Name: 9XXXXXXXXXXX-3
            Type: Transaction Signature
            Class: any
            Time to live: 0 time
            Data length: 51
            Algorithm name: gss.microsoft.com
            Time signed: Mar  3, 2003 08:01:36.000000000
            Fudge: 36000
            Signature
            Original id: 53128
            Error: No error
            Other


Best Regards,


Ron Shuck, CISSP - Managing Consultant
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com http://www.isc2.org

Content-Type: application/x-pkcs7-signature;
      name="smime.p7s"
Content-Disposition: attachment;
      filename="smime.p7s"

Attachment converted: Shu:smime 15.p7s (????/----) (00120A70)



-- 
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS Zone Transfer False Positive Ron Shuck (Mar 26)
- Re: DNS Zone Transfer False Positive James Hoagland (Mar 26)
- <Possible follow-ups>
- RE: DNS Zone Transfer False Positive Geoff Craig (Mar 26)
- RE: DNS Zone Transfer False Positive Ron Shuck (Mar 26)
  - RE: DNS Zone Transfer False Positive James Hoagland (Mar 27)
- RE: DNS Zone Transfer False Positive Geoff Craig (Mar 26)