Snort mailing list archives

RE: DNS Help/ SID 1948

From: "Vanish Pattni (DSL AK)" <VanishP () datacom co nz>
Date: Thu, 8 May 2003 09:43:53 +1200

we get a few of these everyday. However, at first we checked the dns server
logs to see if a zone transfer had indeed happened but that was not the
case. Finally we settled down to the fact that udp is connectionless and the
packets could easily be spoofed.
 
TCP zone transfers have to come from a valid ip address and that is what you
really have to look out for. Check your DNS server logs for any uncertainty.
 
cheers
Vanish

-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil]
Sent: Thursday, May 08, 2003 6:45 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] DNS Help/ SID 1948



Is the alert below really a DNS Zone transfer?  If not, what is it?  

----------------------------------------------------------------------------
-- 
#(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532]
[icat/CAN-1999-0532] [snort/1948]  DNS zone transfer UDP

IPv4: 207.115.64.2 -> my.home.net 
      hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810 
UDP:  port=53 -> dport: 53 len=150 
Payload:  length = 142 

000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36   TP...........116 
010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31   .112/28.135.18.1 
020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00   2.in-addr.arpa.. 
030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03   ................

040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D   ns2.isomedia.com 
050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73   ..............ns

060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF   1.C.]......*0... 
070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF   s@..?......*0... 
080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00         s@...)........ 

and here's the sig that triggered it: 

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP";
content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;) 

Your thoughts are appreciated... 

v/r, 

Benjamin Everist

Current thread:

DNS Help/ SID 1948 Everist, Benjamin S. (NASWI) (May 07)
- <Possible follow-ups>
- RE: DNS Help/ SID 1948 Vanish Pattni (DSL AK) (May 07)
  - RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
    - Re: DNS Help/ SID 1948 Mathias Gygax (May 07)
- RE: DNS Help/ SID 1948 Joesph Bowling (May 07)