Snort mailing list archives

RE: DNS Help/ SID 1948

From: "Joesph Bowling" <joeybowling () hotmail com>
Date: Wed, 07 May 2003 18:56:47 -0400

Yes they do.

Anything over 512K  DNS will use TCP.

From: Demetri Mouratis <dmourati () cm math uiuc edu>
To: "Vanish Pattni (DSL AK)" <VanishP () datacom co nz>

CC: "'Everist, Benjamin S. (NASWI)'"<EveristB () naswi navy mil>,<snort-users () lists sourceforge net>

Subject: RE: [Snort-users] DNS Help/ SID 1948
Date: Wed, 7 May 2003 17:39:06 -0500 (CDT)

Uhh,

Don't DNS zone transfers use TCP?

On Thu, 8 May 2003, Vanish Pattni (DSL AK) wrote:

> we get a few of these everyday. However, at first we checked the dnsserver

> logs to see if a zone transfer had indeed happened but that was not the

> case. Finally we settled down to the fact that udp is connectionless andthe

> packets could easily be spoofed.
>

> TCP zone transfers have to come from a valid ip address and that is whatyou> really have to look out for. Check your DNS server logs for anyuncertainty.

>
> cheers
> Vanish
>
> -----Original Message-----
> From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil]
> Sent: Thursday, May 08, 2003 6:45 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] DNS Help/ SID 1948
>
>
>
> Is the alert below really a DNS Zone transfer?  If not, what is it?
>

>----------------------------------------------------------------------------

> --
> #(1 - 324871) [2003-05-06 09:15:04] [arachNIDS/212] [cve/CAN-1999-0532]
> [icat/CAN-1999-0532] [snort/1948]  DNS zone transfer UDP
>
> IPv4: 207.115.64.2 -> my.home.net
>       hlen=5 TOS=0 dlen=170 ID=0 flags=0 offset=0 TTL=47 chksum=51810
> UDP:  port=53 -> dport: 53 len=150
> Payload:  length = 142
>
> 000 : 54 50 80 00 00 01 00 00 00 02 00 03 03 31 31 36   TP...........116
> 010 : 06 31 31 32 2F 32 38 03 31 33 35 02 31 38 02 31   .112/28.135.18.1
> 020 : 32 07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00   2.in-addr.arpa..

> 030 : 0C 00 01 C0 10 00 02 00 01 **00 00 FC** DB 00 12 03................

>
> 040 : 6E 73 32 08 69 73 6F 6D 65 64 69 61 03 63 6F 6D   ns2.isomedia.com

> 050 : 00 C0 10 00 02 00 01 **00 00 FC** DB 00 06 03 6E 73..............ns

>
> 060 : 31 C0 43 C0 5D 00 01 00 01 00 00 2A 30 00 04 CF   1.C.]......*0...
> 070 : 73 40 02 C0 3F 00 01 00 01 00 00 2A 30 00 04 CF   s@..?......*0...
> 080 : 73 40 03 00 00 29 10 00 00 00 80 00 00 00         s@...)........
>
> and here's the sig that triggered it:
>

> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transferUDP";

> content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
> reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)
>
> Your thoughts are appreciated...
>
> v/r,
>
> Benjamin Everist
>
>

---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.http://join.msn.com/?page=features/virus




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS Help/ SID 1948 Everist, Benjamin S. (NASWI) (May 07)
- <Possible follow-ups>
- RE: DNS Help/ SID 1948 Vanish Pattni (DSL AK) (May 07)
  - RE: DNS Help/ SID 1948 Demetri Mouratis (May 07)
    - Re: DNS Help/ SID 1948 Mathias Gygax (May 07)
- RE: DNS Help/ SID 1948 Joesph Bowling (May 07)