[Snort-users] DNS Help/ SID 1948

Vanish Pattni (DSL AK) VanishP at ...6655...
Wed May 7 14:45:04 EDT 2003


we get a few of these everyday. However, at first we checked the dns server
logs to see if a zone transfer had indeed happened but that was not the
case. Finally we settled down to the fact that udp is connectionless and the
packets could easily be spoofed.
 
TCP zone transfers have to come from a valid ip address and that is what you
really have to look out for. Check your DNS server logs for any uncertainty.
 
cheers
Vanish

-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB at ...8190...]
Sent: Thursday, May 08, 2003 6:45 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] DNS Help/ SID 1948



Is the alert below really a DNS Zone transfer?  If not, what is it?  

----------------------------------------------------------------------------
-- 
#(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532]
[icat/CAN-1999-0532] [snort/1948]  DNS zone transfer UDP

IPv4: 207.115.64.2 -> my.home.net 
      hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810 
UDP:  port=53 -> dport: 53 len=150 
Payload:  length = 142 

000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36   TP...........116 
010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31   .112/28.135.18.1 
020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00   2.in-addr.arpa.. 
030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03   ................

040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D   ns2.isomedia.com 
050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73   ..............ns

060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF   1.C.]......*0... 
070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF   s at ...846...?......*0... 
080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00         s at ...979...)........ 

and here's the sig that triggered it: 

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP";
content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) 

Your thoughts are appreciated... 

v/r, 

Benjamin Everist 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030507/4b40a039/attachment.html>


More information about the Snort-users mailing list