[Snort-users] DNS Help/ SID 1948

Joesph Bowling joeybowling at ...125...
Wed May 7 15:57:20 EDT 2003


Yes they do.

Anything over 512K  DNS will use TCP.


>From: Demetri Mouratis <dmourati at ...3877...>
>To: "Vanish Pattni (DSL AK)" <VanishP at ...6655...>
>CC: "'Everist, Benjamin S. (NASWI)'" 
><EveristB at ...8190...>,<snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] DNS Help/ SID 1948
>Date: Wed, 7 May 2003 17:39:06 -0500 (CDT)
>
>Uhh,
>
>Don't DNS zone transfers use TCP?
>
>On Thu, 8 May 2003, Vanish Pattni (DSL AK) wrote:
>
> > we get a few of these everyday. However, at first we checked the dns 
>server
> > logs to see if a zone transfer had indeed happened but that was not the
> > case. Finally we settled down to the fact that udp is connectionless and 
>the
> > packets could easily be spoofed.
> >
> > TCP zone transfers have to come from a valid ip address and that is what 
>you
> > really have to look out for. Check your DNS server logs for any 
>uncertainty.
> >
> > cheers
> > Vanish
> >
> > -----Original Message-----
> > From: Everist, Benjamin S. (NASWI) [mailto:EveristB at ...8190...]
> > Sent: Thursday, May 08, 2003 6:45 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] DNS Help/ SID 1948
> >
> >
> >
> > Is the alert below really a DNS Zone transfer?  If not, what is it?
> >
> > 
>----------------------------------------------------------------------------
> > --
> > #(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532]
> > [icat/CAN-1999-0532] [snort/1948]  DNS zone transfer UDP
> >
> > IPv4: 207.115.64.2 -> my.home.net
> >       hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810
> > UDP:  port=53 -> dport: 53 len=150
> > Payload:  length = 142
> >
> > 000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36   TP...........116
> > 010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31   .112/28.135.18.1
> > 020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00   2.in-addr.arpa..
> > 030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03   
>................
> >
> > 040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D   ns2.isomedia.com
> > 050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73   
>..............ns
> >
> > 060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF   1.C.]......*0...
> > 070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF   s at ...846...?......*0...
> > 080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00         s at ...979...)........
> >
> > and here's the sig that triggered it:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer 
>UDP";
> > content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
> > reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)
> >
> > Your thoughts are appreciated...
> >
> > v/r,
> >
> > Benjamin Everist
> >
> >
>
>---------------------------------------------------------------------
>Demetri Mouratis
>dmourati at ...3878...
>
>
>
>-------------------------------------------------------
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>www.enterpriselinuxforum.com
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus





More information about the Snort-users mailing list