[Snort-users] DNS spoofing packet trace

Ralf Hildebrandt Ralf.Hildebrandt at ...1533...
Mon Mar 12 08:55:57 EST 2001


I produced from the following alert

Mar  9 12:43:45 john snort[24499]: DNS SPOOF query response with ttl:
195.243.104.1:53 -> 195.243.106.23:61482
Mar  9 12:45:01 john snort[24499]: DNS SPOOF query response with ttl:
195.243.104.1:53 -> 195.243.106.23:61482

this packet trace
 
> [**] DNS SPOOF query response with ttl [**]
> 03/09-12:43:45.496147 195.243.104.1:53 -> 195.243.106.23:61482
> UDP TTL:253 TOS:0x0 ID:59301 IpLen:20 DgmLen:90 DF
> Len: 70
> 1F 8C 81 80 00 01 00 01 00 00 00 00 06 6C 77 31  .............lw1
> 34 66 64 05 6C 61 77 31 34 07 68 6F 74 6D 61 69  4fd.law14.hotmai
> 6C 03 6D 73 6E 03 63 6F 6D 00 00 01 00 01 C0 0C  l.msn.com.......
> 00 01 00 01 00 00 00 3C 00 04 40 04 14 FA        .......<.. at ...979...
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> [**] DNS SPOOF query response with ttl [**]
> 03/09-12:45:01.315516 195.243.104.1:53 -> 195.243.106.23:61482
> UDP TTL:253 TOS:0x0 ID:59332 IpLen:20 DgmLen:90 DF
> Len: 70
> 96 35 81 80 00 01 00 01 00 00 00 00 06 6C 77 31  .5...........lw1
> 34 66 64 05 6C 61 77 31 34 07 68 6F 74 6D 61 69  4fd.law14.hotmai
> 6C 03 6D 73 6E 03 63 6F 6D 00 00 01 00 01 C0 0C  l.msn.com.......
> 00 01 00 01 00 00 00 3C 00 04 40 04 14 FA        .......<.. at ...979...
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Could somebody enlighten me what was tried here?

-- 
ralf.hildebrandt at ...1533...                  innominate AG
r.hildebrandt at ...1534...          the linux architects
tel: 3063-4942 fax: -4200                   http://www.innominate.com




More information about the Snort-users mailing list