[Snort-users] help with "DNS SPOOF" incidents

R P G inittab at ...2150...
Wed May 30 21:24:29 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I'm wondering if someone here can help me analyze what's going on with
this.  My snort sensor has detected these "DNS SPOOF" packets over the
past couple of weeks.  My server is "aaa.bbb.ccc.15" and my server's
configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2".  The
snort rule that has kicked these off is as follows:

alert udp $EXTERNAL 53 -> $INTERNAL any (msg:"DNS SPOOF query response
with ttl: 1 min. and no authority"; content:"|81800001000100000000|";
content:"|c00c000100010000003c0004|";)

What could be happening here? Can someone shed some insight on this?  

TIA

- --Bob


- ------------------------------------------------------------------------------
#(1 - 379452) [2001-05-06 01:03:41]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=51775 flags=0 offset=0 TTL=52 chksum=2578
UDP:  port=53 -> dport: 1662 len=62
Payload:  length = 54

000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   F~...........84-
010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   089.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 59                                 ...ETY
- ------------------------------------------------------------------------------
#(1 - 383336) [2001-05-09 01:08:17]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=46083 flags=0 offset=0 TTL=52 chksum=8270
UDP:  port=53 -> dport: 1887 len=62
Payload:  length = 54

000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 4D                                 ...ETM
- ------------------------------------------------------------------------------
#(1 - 383335) [2001-05-09 01:08:16]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=4566 flags=0 offset=0 TTL=53 chksum=49530
UDP:  port=53 -> dport: 1887 len=62
Payload:  length = 54

000 : BB B1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 4D                                 ...ETM
- ------------------------------------------------------------------------------
#(1 - 384900) [2001-05-14 01:04:39]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=18846 flags=0 offset=0 TTL=59 chksum=33714
UDP:  port=53 -> dport: 1441 len=62
Payload:  length = 54

000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 58                                 ...ETX
- ------------------------------------------------------------------------------
#(1 - 384899) [2001-05-14 01:04:38]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=60364 flags=0 offset=0 TTL=59 chksum=57732
UDP:  port=53 -> dport: 1441 len=62
Payload:  length = 54

000 : FE ED 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 58                                 ...ETX
- ------------------------------------------------------------------------------
#(1 - 1533334) [2001-05-29 15:33:50]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.1 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=4084 flags=0 offset=0 TTL=59 chksum=48477
UDP:  port=53 -> dport: 1675 len=62
Payload:  length = 54

000 : DA 4F 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .O...........84-
010 : 30 38 38 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   088.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 58                                 ...ETX
- ------------------------------------------------------------------------------
#(1 - 1533544) [2001-05-30 00:09:38]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=55890 flags=0 offset=0 TTL=59 chksum=62205
UDP:  port=53 -> dport: 1675 len=62
Payload:  length = 54

000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 4D                                 ...ETM
- ------------------------------------------------------------------------------
#(1 - 1533542) [2001-05-30 00:09:38]  DNS SPOOF query response with ttl
IPv4: xxx.yyy.zzz.2 -> aaa.bbb.ccc.15
      hlen=5 TOS=0 dlen=82 ID=55817 flags=0 offset=0 TTL=59 chksum=62278
UDP:  port=53 -> dport: 1675 len=62
Payload:  length = 54

000 : E9 E1 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   .............84-
010 : 30 37 37 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   077.davnet.com.h
020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
030 : 00 04 CA 45 54 4D                                 ...ETM

-----BEGIN PGP SIGNATURE-----

iD8DBQE7FZ1UtbyN5oN9H2YRApgGAJsEykxOkbIboso8DqN8hAoG5ZqM7ACeLw0T
oz84kDQO7/ofEuMco5wkW9M=
=uaoF
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list