[Snort-sigs] Possible False on Zone Transfer
bryan.irvine at ...1441...
Wed Oct 8 15:56:04 EDT 2003
I've gotten a bunch of these as well....odd, anyone know what's up with
On Wed, 2003-10-08 at 15:17, wbradd wrote:
> One of my IDS sensors is seeing a log of zone transfer alerts. When I look
> at the rule and compare it to the alerts I made my call is that it is a
> false positive.
> Here's why: Direction if from the Internet to my system an apparent
> extended response to a standard query. I have provided an example alert
> file entry and the output from snort binary log entry. When looking at the
> payload in the db or with ethereal, we see the byte code the signature is
> triggering on, which is | 00 00 FC |.
> One of my analyst says it is someone trying to do a zone transfer from us.
> Here is an example of the alert, Last I knew, this was a response packet
> [**] [1:1948:1] DNS zone transfer UDP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 10/08-09:09:36.260000 6x.xx.x.x:53 -> 192.168.0.3:53
> UDP TTL:251 TOS:0x0 ID:41386 IpLen:20 DgmLen:144 DF
> Len: 124
> [Xref => arachnids 212][Xref => cve can-1999-0532]
> 09:09:36.260000 22.214.171.124.domain > 192.168.0.3.domain: [udp sum ok] 60496
> 1/2/2 img.cmpnet.com. A 126.96.36.199 (116) (DF) (ttl 251, id 41386, len 144)
> This SF.net email is sponsored by: SF.net Giveback Program.
> SourceForge.net hosts over 70,000 Open Source Projects.
> See the people who have HELPED US provide better services:
> Click here: http://sourceforge.net/supporters.php
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs