[Snort-sigs] Possible False on Zone Transfer

wbradd wbradd at ...1143...
Wed Oct 8 15:17:01 EDT 2003


One of my IDS sensors is seeing a log of zone transfer alerts.  When I look
at the rule and compare it to the alerts I made my call is that it is a
false positive.

Here's why:  Direction if from the Internet to my system an apparent
extended response to a standard query.  I have provided an example alert
file entry and the output from snort binary log entry.  When looking at the
payload in the db or with ethereal, we see the byte code the signature is
triggering on, which is | 00 00 FC |.

One of my analyst says it is someone trying to do a zone transfer from us.

Here is an example of the alert,  Last I knew, this was a response packet
[**] [1:1948:1] DNS zone transfer UDP [**]
[Classification: Attempted Information Leak] [Priority: 2]
10/08-09:09:36.260000 6x.xx.x.x:53 ->
UDP TTL:251 TOS:0x0 ID:41386 IpLen:20 DgmLen:144 DF
Len: 124
[Xref => arachnids 212][Xref => cve can-1999-0532]
09:09:36.260000 >  [udp sum ok] 60496
1/2/2 img.cmpnet.com. A (116) (DF) (ttl 251, id 41386, len 144)



More information about the Snort-sigs mailing list