Snort mailing list archives

DNS zone transfers

From: john.ruff () us abb com
Date: Thu, 20 Sep 2001 14:04:56 -0400



The source IPs are machines inside my network but they are not DNS servers.  Any
idea what these alerts are saying?

From "alert_full" file:


[**] [1:255:1] DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 3]
09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53
TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x514916CA  Ack: 0x5A2FF1A1  Win: 0x4506  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS212]

[...Payload of above...]
09/20-13:57:14.393783 xxx.xxx.xx.xx:1821 -> 64.12.24.236:53
TCP TTL:127 TOS:0x0 ID:19377 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x514916CA  Ack: 0x5A2FF1A1  Win: 0x4506  TcpLen: 20
2A 01 28 92 01 08 00 00 00 01 00 06 01 00 58 7A  *.(...........Xz
A4 22 B1 4E B0 74 D8 97 9E 11 E7 72 E5 BC 4D 2C  .".N.t.....r..M,
E2 FA 2D C2 C0 78 64 46 F4 B8 0A AF 63 9C CE FD  ..-..xdF....c...
7F F3 EF 39 91 30 BE 12 47 54 0F 1C 70 59 33 EA  ...9.0..GT..pY3.
31 5A 2E FD 12 57 FC CD E0 AD 95 14 AC 5C 0B 9C  1Z...W.......\..
25 A4 86 A1 35 CA 92 11 1A C8 AC D1 D5 7C DA 13  %...5........|..
E7 0B A8 85 B3 DC 99 11 34 79 83 A8 2C 4D 51 CE  ........4y..,MQ.
12 F9 85 3D 7C C3 84 80 5A 8C 0E F6 C6 E8 95 03  ...=|...Z.......
55 F0 F3 7E 5C 46 87 EF 21 A9 8C 71 A1 9A 1C AD  U..~\F..!..q....
6A 90 11 BF EA 40 63 AD 05 C5 B7 6E 14 09 49 06  j....@c....n..I.
B9 81 1F 87 CC 6B 9C FA 2B 0A E7 AC 1E 38 BD 5C  .....k..+....8.\
77 AE 03 B8 54 53 50 F3 4F 09 F6 4D 38 04 C5 A8  w...TSP.O..M8...
92 A2 56 EE 71 48 61 E0 40 18 F6 73 E2 28 2D E7  ..V.qHa.@..s.(-.
Snort received signal 3, exiting
00 00 A4 0C BF 47 37 A1 F8 F3 DE 2C 54 17 40 B8  .....G7....,T.@.
1B 5D 49 31 98 91 FF 93 83 FE 16 5C 98 2D 4E 69  .]I1.......\.-Ni
0F 3A F1 D0 40 30 E9 95 DD 6C 26 CA 70 E4 7F D3  .:..@0...l&.p...
EF F4 0C C7 B8 21 02 C2 6A BE 36 84 93 D9        .....!..j.6...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[**] [1:255:1] DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 3]
09/20-13:57:16.116867 xxx.xxx.xx.xx:1823 -> 64.12.28.16:53
TCP TTL:127 TOS:0x0 ID:19396 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x5151566B  Ack: 0x5A7D3A8F  Win: 0x4506  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS212]

[...Payload of above...]
09/20-13:57:16.116867 xxx.xxx.xx.xx:1823 -> 64.12.28.16:53
TCP TTL:127 TOS:0x0 ID:19396 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x5151566B  Ack: 0x5A7D3A8F  Win: 0x4506  TcpLen: 20
2A 01 4F 8A 01 08 00 00 00 01 00 06 01 00 3D AB  *.O...........=.
A9 F6 11 98 DE FE 0F 0E 28 DD 14 C6 DC 18 61 FD  ........(.....a.
17 3F E0 06 24 93 26 CD A4 5E 92 C9 EC CD D9 D9  .?..$.&..^......
D5 96 E6 E8 51 E0 BC A6 52 6C 7F 41 EC 61 C2 E2  ....Q...Rl.A.a..
A6 B7 16 39 AF 77 84 B2 72 EA A4 FE 7F 3B F6 2F  ...9.w..r....;./
F4 47 E0 7B A7 AA 02 92 0F 7D FC B5 A4 23 96 41  .G.{.....}...#.A
94 55 A1 82 7A 39 3C 68 0F 43 75 30 B7 C5 E5 FF  .U..z9<h.Cu0....
61 42 0F CC C1 E6 7E 65 09 B4 A9 DC 94 CB 0B D6  aB....~e........
8F 52 3B 24 7C B3 C1 1D B9 48 4A 7A 2B 08 17 A4  .R;$|....HJz+...
07 05 9B 30 9F 62 74 FF 97 EF C0 11 CC 7D 28 44  ...0.bt......}(D
B8 75 7C 13 04 5F 26 8E FD AF 26 0E E7 59 14 79  .u|.._&...&..Y.y
51 68 E1 13 3A CE C5 64 BD 8C 7F 00 6D FF BE 1F  Qh..:..d....m...
ED 9E E7 E9 CA 55 99 80 F6 D8 71 60 23 86 B8 B4  .....U....q`#...
82 FD 05 60 58 C7 A1 09 30 8C A3 7A C5 27 0D 67  ...`X...0..z.'.g
B5 C8 BA 2D F6 06 C9 0D AE C8 9A 22 29 98 37 31  ...-.......").71
07 8C 99 14 59 5E A8 51 88 22 FA F8 82 C8 A0 FD  ....Y^.Q."......
FB 5B 4C 3E D7 25 19 C4 1D 61 BF 34 82 05        .[L>.%...a.4..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:255:1] DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 3]
09/20-13:57:16.119893 xxx.xxx.xx.xx:1822 -> 64.12.26.44:53
TCP TTL:127 TOS:0x0 ID:19397 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x51507953  Ack: 0xEA4D200C  Win: 0x4506  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS212]

[...Payload of above...]
09/20-13:57:16.119893 xxx.xxx.xx.xx:1822 -> 64.12.26.44:53
TCP TTL:127 TOS:0x0 ID:19397 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x51507953  Ack: 0xEA4D200C  Win: 0x4506  TcpLen: 20
2A 01 6A 4E 01 08 00 00 00 01 00 06 01 00 A5 5B  *.jN...........[
0B 8D B8 DC A0 CC 3C D5 7E 1A 86 1C A8 D2 CE 62  ......<.~......b
67 66 51 73 CC 41 D7 48 E7 D5 E2 13 5E 6F 18 79  gfQs.A.H....^o.y
42 40 01 0E F4 5D 58 06 12 0A 8D 26 41 57 CB A8  B@...]X....&AW..
6F 57 03 8F 95 5A BC A3 73 CA A6 05 5A F4 43 B2  oW...Z..s...Z.C.
BD 58 20 AE AD 96 4D DF 43 44 33 D7 72 55 5E A0  .X ...M.CD3.rU^.
01 61 B0 EA E3 91 D1 5B EB F6 47 98 FC DB 68 7C  .a.....[..G...h|
AF 16 23 EE 35 E5 3C 46 89 68 48 0A E9 BC FF 11  ..#.5.<F.hH.....
B3 4D A7 5C AC D9 43 69 4E 50 63 AD 83 9A 36 1F  .M.\..CiNPc...6.
BE FD 2C 57 58 2A 54 72 2C 64 EA 6E B4 7A 6B DA  ..,WX*Tr,d.n.zk.
73 86 2F 48 DD 85 07 B1 3B B0 60 96 46 9D 6B BA  s./H....;.`.F.k.
6D 02 81 33 F7 F0 DA 55 73 08 62 24 22 C6 AF 23  m..3...Us.b$"..#
D7 09 33 A7 62 57 E6 F1 24 97 02 9A 24 E4 2D 78  ..3.bW..$...$.-x
33 3B 38 B6 39 BE 80 8D 6D 47 D9 8A 45 1D CB 22  3;8.9...mG..E.."
2F 4C 7D 55 E2 1B 7D 68 F7 D5 3F C4 81 10 EC 90  /L}U..}h..?.....
45 C5 CC 6E B3 5A D7 76 BD 6A 3A C9 51 01 24 7B  E..n.Z.v.j:.Q.${
11 7E AC 54 CB D3 EC 37 C6 08 90 9B 21 BB        .~.T...7....!.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:255:1] DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 3]
09/20-13:57:16.129973 xxx.xxx.xx.xx:1824 -> 64.12.162.117:53
TCP TTL:127 TOS:0x0 ID:19398 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x5151F0E5  Ack: 0xC74BCD6D  Win: 0x4506  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS212]

[...Payload of above...]
09/20-13:57:16.119893 xxx.xxx.xx.xx:1822 -> 64.12.26.44:53
TCP TTL:127 TOS:0x0 ID:19397 IpLen:20 DgmLen:310 DF
***AP*** Seq: 0x51507953  Ack: 0xEA4D200C  Win: 0x4506  TcpLen: 20
2A 01 6A 4E 01 08 00 00 00 01 00 06 01 00 A5 5B  *.jN...........[
0B 8D B8 DC A0 CC 3C D5 7E 1A 86 1C A8 D2 CE 62  ......<.~......b
67 66 51 73 CC 41 D7 48 E7 D5 E2 13 5E 6F 18 79  gfQs.A.H....^o.y
42 40 01 0E F4 5D 58 06 12 0A 8D 26 41 57 CB A8  B@...]X....&AW..
6F 57 03 8F 95 5A BC A3 73 CA A6 05 5A F4 43 B2  oW...Z..s...Z.C.
BD 58 20 AE AD 96 4D DF 43 44 33 D7 72 55 5E A0  .X ...M.CD3.rU^.
01 61 B0 EA E3 91 D1 5B EB F6 47 98 FC DB 68 7C  .a.....[..G...h|
AF 16 23 EE 35 E5 3C 46 89 68 48 0A E9 BC FF 11  ..#.5.<F.hH.....
B3 4D A7 5C AC D9 43 69 4E 50 63 AD 83 9A 36 1F  .M.\..CiNPc...6.
BE FD 2C 57 58 2A 54 72 2C 64 EA 6E B4 7A 6B DA  ..,WX*Tr,d.n.zk.
73 86 2F 48 DD 85 07 B1 3B B0 60 96 46 9D 6B BA  s./H....;.`.F.k.
6D 02 81 33 F7 F0 DA 55 73 08 62 24 22 C6 AF 23  m..3...Us.b$"..#
D7 09 33 A7 62 57 E6 F1 24 97 02 9A 24 E4 2D 78  ..3.bW..$...$.-x
33 3B 38 B6 39 BE 80 8D 6D 47 D9 8A 45 1D CB 22  3;8.9...mG..E.."
2F 4C 7D 55 E2 1B 7D 68 F7 D5 3F C4 81 10 EC 90  /L}U..}h..?.....
45 C5 CC 6E B3 5A D7 76 BD 6A 3A C9 51 01 24 7B  E..n.Z.v.j:.Q.${
11 7E AC 54 CB D3 EC 37 C6 08 90 9B 21 BB        .~.T...7....!.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Regards,
John Ruff

"Shortcuts make for long delays." - J.R.R. Tolken



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS zone transfers john . ruff (Sep 20)
- <Possible follow-ups>
- RE: DNS zone transfers Frank Knobbe (Sep 20)