[Snort-sigs] FP: BAD-TRAFFIC dns root nameserver poisoning attempt?

Nerijus Krukauskas nkrukauskas at ...2420...
Thu Oct 30 05:24:58 EDT 2008


  Since the rule "BAD-TRAFFIC dns root nameserver poisoning attempt"
(gid:3, sid:13887) is a message from dynamic preprocessor, only
Sourcefire folks would know the answer, I guess.
  I believe, I'm seeing FP for this rule. The packet capture is bellow.
Note: the dump is the payload of the UDP packet without IP and UDP
headers. In this case it's DNS.

2008-10-29 20:44:48 213.180.204.1:53 -> x.y.z.n:60674
UDP TTL:52 TOS:0x0 ID:60905 IPLen:365 HLen:5 CSumIP:0x2B82
Len:0x159 CSum:0x462D

Payload (Hex):
625F 8400 0001 0003 0007 0007 0769 6D38 2D74 7562
0679 616E 6465 7803 6E65 7400 0001 0001 C00C 0005
0001 0000 1C20 0013 0769 6D38 2D74 7562 0679 616E
6465 7802 7275 00C0 3000 0100 0100 002A 3000 0457
FAFB 3CC0 3000 0100 0100 002A 3000 044D 5815 3CC0
3800 0200 0100 0546 0000 0603 6E73 31C0 38C0 3800
0200 0100 0546 0000 0603 6E73 32C0 38C0 3800 0200
0100 0546 0000 0603 6E73 34C0 38C0 3800 0200 0100
0546 0000 0603 6E73 35C0 38C0 1400 0200 0100 02A3
0000 0603 6E73 31C0 14C0 1400 0200 0100 02A3 0000
0603 6E73 32C0 14C0 1400 0200 0100 02A3 0000 0603
6E73 35C0 14C0 6F00 0100 0100 0546 0000 04D5 B4C1
01C0 8100 0100 0100 0546 0000 04D5 B4C7 22C0 9300
0100 0100 0546 0000 044D 5813 3CC0 A500 0100 0100
0546 0000 04D5 B4CC 01C0 B700 0100 0100 02A3 0000
04D5 B4C1 01C0 C900 0100 0100 02A3 0000 04D5 B4C7
22C0 DB00 0100 0100 02A3 0000 04D5 B4CC 01

Payload (ASCII):
b_...........im8-tub
.yandex.net.........
..... ...im8-tub.yan
dex.ru..0......*0..W
..&lt.0......*0..MX.
&lt.8......F....ns1.
8.8......F....ns2.8.
8......F....ns4.8.8.
.....F....ns5.8.....
........ns1.........
......ns2...........
....ns5...o......F..
.............F......
"........F...MX.&lt.
.......F............
....................
......".............
...


-- 
http://nk99.org/









More information about the Snort-sigs mailing list