Snort mailing list archives
Re: help with "DNS SPOOF" incidents
From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Thu, 31 May 2001 22:40:37 +0200
On Wed, May 30, 2001 at 09:24:29PM -0400, R P G wrote:
Hi All, I'm wondering if someone here can help me analyze what's going on with this. My snort sensor has detected these "DNS SPOOF" packets over the past couple of weeks. My server is "aaa.bbb.ccc.15" and my server's configured "forwarders" are "xxx.yyy.zzz.1" and "xxx.yyy.zzz.2". The snort rule that has kicked these off is as follows:
Maybe somebody is querying domains with a really low TTL? S.th. like myip.net?
000 : 46 7E 81 80 00 01 00 01 00 00 00 00 06 38 34 2D F~...........84- 010 : 30 38 39 06 64 61 76 6E 65 74 03 63 6F 6D 02 68 089.davnet.com.h 020 : 6B 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 3C k..............< 030 : 00 04 CA 45 54 59 ...ETY
% dig 84-089.davnet.com.hk ;; ANSWER SECTION: 84-089.davnet.com.hk. 60 IN A 202.69.84.89 Yup, that's it. -- ralf.hildebrandt () innominate com innominate AG System Engineer Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-698 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with "DNS SPOOF" incidents R P G (May 30)
- Re: help with "DNS SPOOF" incidents Ralf Hildebrandt (May 31)