[Snort-sigs] Question Alert 1948

Wes Young wyoung at ...1639...
Sat Jul 19 10:00:03 EDT 2003

If you look further, there is also a rule @ 255 that alerts TCP zone transfers as well.
If you probe out a DNS server (bind in this case) u'll see that it listens not only on TCP 53, but UDP 53 as well.

I'm guessing that someone just threw in the UDP for the slight chance that a zone xfer was attempted on UDP. (since its higher in the list, i assume they had the TCP one there first).

Hope this helps!

>>> Cathy Stallings <cxxs at ...685...> 07/17 1:53 PM >>>
Thank you for your attention and assistance. I was reviewing the various
snort alerts and came upon alert 1948 which confused me. It is DNS zone
transfer UDP. According to TCP/IP Illustrated, Volume 1 The Protocols by W.
Richard Stevens on page 206 "Zone transfers are done using TCP, since there
is much more data to transfer than a single query or response." So I was
wondering why the alert specified UDP? I hope you can educate me and thanks
again for the help.

More information about the Snort-sigs mailing list