DNS Help/ SID 1948

["Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>]

Is the alert below really a DNS Zone transfer?  If not, what is it?  

----------------------------------------------------------------------------
--
#(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532]
[icat/CAN-1999-0532] [snort/1948]  DNS zone transfer UDP
IPv4: 207.115.64.2 -> my.home.net
      hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810
UDP:  port=53 -> dport: 53 len=150
Payload:  length = 142

000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36   TP...........116
010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31   .112/28.135.18.1
020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00   2.in-addr.arpa..
030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03   ................
040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D   ns2.isomedia.com
050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73   ..............ns
060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF   1.C.]......*0...
070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF   s@..?......*0...
080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00         s@...)........

and here's the sig that triggered it:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP";
content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) 

Your thoughts are appreciated...

v/r,

Benjamin Everist