[Snort-users] help with "DNS SPOOF" incidents

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Thu May 31 16:40:37 EDT 2001


On Wed, May 30, 2001 at 09:24:29PM -0400, R P G wrote:
> Hi All,
> 
> I'm wondering if someone here can help me analyze what's going on with
> this.  My snort sensor has detected these "DNS SPOOF" packets over the
> past couple of weeks.  My server is "aaa.bbb.ccc.15" and my server's
> configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2".  The
> snort rule that has kicked these off is as follows:

Maybe somebody is querying domains with a really low TTL? S.th. like myip.net?

> 000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D   F~...........84-
> 010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68   089.davnet.com.h
> 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C   k..............<
> 030 : 00 04 CA 45 54 59                                 ...ETY

% dig  84-089.davnet.com.hk

;; ANSWER SECTION:
84-089.davnet.com.hk.	60	IN	A	202.69.84.89

Yup, that's it.
-- 
ralf.hildebrandt at ...821...                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         





More information about the Snort-users mailing list