RE: DNS Zone Transfer False Positive

[James Hoagland <jim () SiliconDefense com>]

Ron,

Okay, it looks like Snort implemented the signature matching 
correctly since there is a 00 00 FC near the bottom of the packet. 
(Always good to check that first since certain snort versions has 
content matching problems.)

This signature was not written with using DNS for anything other than 
address resolution in mind.  So, it may false positive sometimes with 
non-address queries that use TCP (such as your example).  It should 
be rewritten to make sure the query type is "A".  I don't have time 
right now, but hopefully someone else can pick this up (hence the 
cross-post to snort-sig).

Best regards,

  Jim

At 12:46 PM -0600 3/26/03, Ron Shuck wrote:
> Hi,
>
> Using 1.9.0 still, and it was rev 6 of SID:255. -- No lectures please, I
> disabled RPC until I can upgrade -- ;-)
> I wasn't sure what the significance of the TKEY name was, so I
> obfuscated it along with the IP/Checksums.
>
> 08:02:03.948630 MY.NET.113.149.2856 > MY.NET.100.21.domain: P [tcp sum
> ok] 3389545719:3389545992(273) ack 3366544751 win 17267 (DF) (ttl 127,
> id 13586, len 313)
> 0x0000   4500 0139 3512 4000 7f06 5426 0000 7195        E..95.@.......q.
> 0x0010   0000 6415 0b28 0035 ca08 5cf7 c8a9 656f        ..d..(.5..\...eo
> 0x0020   5018 4373 345f 0000 010f cf88 0000 0001        P.Cs............
> 0x0030   0001 0000 0001 0000 0000 0000 0000 0000        .......XXXXXXXXX
> 0x0040   3935 342d 3300 00f9 0001 0e00 0000 0000        954-3......XXXXX
> 0x0050   0000 0000 3935 342d 3300 00f9 00ff 0000        XXXX954-3.......
> 0x0060   0000 0088 0367 7373 096d 6963 726f 736f        .....gss.microso
> 0x0070   6674 0363 6f6d 003e 6360 403e 64b1 c000        ft.com.>c`@>d...
> 0x0080   0300 0000 654e 544c 4d53 5350 0003 0000        ....eNTLMSSP....
> 0x0090   0001 0001 0054 0000 0000 0000 0055 0000        .....T.......U..
> 0x00a0   0000 0000 0040 0000 0000 0000 0040 0000        .....@.......@..
> 0x00b0   0014 0014 0040 0000 0010 0010 0055 0000        .....@.......U..
> 0x00c0   0015 8a88 e043 0045 004e 002d 0031 0030        .....C.E.N.-.1.0
> 0x00d0   0037 002d 0031 0033 0000 a8bf 4a19 6e0a        .7.-.1.3....J.n.
> 0x00e0   6684 44f3 e21c 2b68 ed4c 0000 0e00 0000        f.D...+h.L...XXX
> 0x00f0   0000 0000 0000 3935 342d 3300 00fa 00ff        XXXXXX954-3.....
> 0x0100   0000 0000 0033 0367 7373 096d 6963 726f        .....3.gss.micro
> 0x0110   736f 6674 0363 6f6d 0000 003e 6360 408c        soft.com...>c`@.
> 0x0120   a000 1001 0000 00fc 88a8 0101 288c b400        ............(...
> 0x0130   0000 00cf 8800 0000 00                         .........
>
> Best Regards,
>
> Ron Shuck, CISSP - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> http://www.buchanan.com
> http://www.isc2.org
>
> -----Original Message-----
> From: James Hoagland [mailto:jim () SiliconDefense com]
> Sent: Wednesday, March 26, 2003 10:46 AM
> To: Ron Shuck; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] DNS Zone Transfer False Positive
>
>
> Ron,
>
> What exact snort version are you using?
>
> Also, any change we can get a hex dump of the TCP payload?  E.g.,
> snort's text pretty-printing or tcpdump -X.
>
> Thanks,
>
>    Jim
>
>
> At 10:25 AM -0600 3/26/03, Ron Shuck wrote:
> > Hi,
> >
> > I have been getting a few DNS Zone Transfer false positives. They
> > originate from 2K or XP workstations. When I examined a little closer,
> > it appeared to be a DNS query containing a TSIG. The signature
> > portion of the TSIG additional record contains the content string from
> > the snort signature |00 00 FC|.
> >
> > Anyone have any ideas of how to eliminate this type of false positive
> > from the signature? I would also appreciate any explanation what the
> > heck this traffic does? I am just looking into rfc2931 and 2535.
> >
> > Transmission Control Protocol, Src Port: 2856 (2856), Dst Port: domain
> > (53), Seq: 3389545719, Ack: 3366544751, Len: 273 Domain Name System
> > (query)
> >      Length: 271
> >      Transaction ID: 0xcf88
> >      Flags: 0x0000 (Standard query)
>  >         0... .... .... .... = Response: Message is a query
> >          .000 0... .... .... = Opcode: Standard query (0)
> >          .... ..0. .... .... = Truncated: Message is not truncated
> >          .... ...0 .... .... = Recursion desired: Don't do query
> > recursively
> >          .... .... ...0 .... = Non-authenticated data OK:
> > Non-authenticated data is unacceptable
> >      Questions: 1
> >      Answer RRs: 1
> >      Authority RRs: 0
> >      Additional RRs: 1
> >      Queries
> >          9XXXXXXXXXXX-3: type TKEY, class inet
> >              Name: 9XXXXXXXXXXX-3
> >              Type: Transaction Key
> >              Class: inet
> >      Answers
> >          9XXXXXXXXXXX-3: type TKEY, class any
> >              Name: 9XXXXXXXXXXX-3
> >              Type: Transaction Key
> >              Class: any
> >              Time to live: 0 time
> >              Data length: 136
> >              Algorithm name: gss.microsoft.com
> >              Signature inception: Mar  3, 2003 08:01:36.000000000
> >              Signature expiration: Mar  4, 2003 08:01:36.000000000
> >              Mode: GSSAPI
> >              Error: No error
> >              Key
> >              Other
> >      Additional records
> >          9XXXXXXXXXXX-3: type TSIG, class any
> >              Name: 9XXXXXXXXXXX-3
> >              Type: Transaction Signature
> >              Class: any
> >              Time to live: 0 time
> >              Data length: 51
> >              Algorithm name: gss.microsoft.com
> >              Time signed: Mar  3, 2003 08:01:36.000000000
> >              Fudge: 36000
> >              Signature
> >              Original id: 53128
> >              Error: No error
> >              Other
> >
> >
> > Best Regards,
> >
> >
> > Ron Shuck, CISSP - Managing Consultant
> > Buchanan Associates - A Technology Company in the People Business
> > http://www.buchanan.com http://www.isc2.org
> >
> > Content-Type: application/x-pkcs7-signature;
> >         name="smime.p7s"
> > Content-Disposition: attachment;
> >         filename="smime.p7s"
> >
> > Attachment converted: Shu:smime 15.p7s (????/----) (00120A70)
>
>
> --
> |*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
> |*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
> |*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
> |*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|
>
> Content-Type: application/x-pkcs7-signature;
>         name="smime.p7s"
> Content-Disposition: attachment;
>         filename="smime.p7s"
>
> Attachment converted: Shu:smime 16.p7s (????/----) (00120ADE)


--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users