[Snort-sigs] Possible False on Zone Transfer

Bryan Irvine bryan.irvine at ...1441...
Wed Oct 8 15:56:04 EDT 2003


I've gotten a bunch of these as well....odd, anyone know what's up with
this?

--Bryan

On Wed, 2003-10-08 at 15:17, wbradd wrote:
> All,
> 
> One of my IDS sensors is seeing a log of zone transfer alerts.  When I look
> at the rule and compare it to the alerts I made my call is that it is a
> false positive.
> 
> Here's why:  Direction if from the Internet to my system an apparent
> extended response to a standard query.  I have provided an example alert
> file entry and the output from snort binary log entry.  When looking at the
> payload in the db or with ethereal, we see the byte code the signature is
> triggering on, which is | 00 00 FC |.
> 
> One of my analyst says it is someone trying to do a zone transfer from us.
> 
> Here is an example of the alert,  Last I knew, this was a response packet
> =========================================================================
> [**] [1:1948:1] DNS zone transfer UDP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 10/08-09:09:36.260000 6x.xx.x.x:53 -> 192.168.0.3:53
> UDP TTL:251 TOS:0x0 ID:41386 IpLen:20 DgmLen:144 DF
> Len: 124
> [Xref => arachnids 212][Xref => cve can-1999-0532]
> =========================================================================
> 09:09:36.260000 68.48.0.6.domain > 192.168.0.3.domain:  [udp sum ok] 60496
> 1/2/2 img.cmpnet.com. A 66.77.24.4 (116) (DF) (ttl 251, id 41386, len 144)
> 
> ============================================================================
> ==========================================================
> 
> Thoughts
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> SourceForge.net hosts over 70,000 Open Source Projects.
> See the people who have HELPED US provide better services:
> Click here: http://sourceforge.net/supporters.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list