|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [snort] zone transfer revisited
From: Joey McAlerney (joey
SiliconDefense.com)Date: Mon Mar 06 2000 - 14:47:23 CST
- Next message: Martin Roesch: "Re: [snort] networks under different CIDR blocks"
- Previous message: Andrew R. Baker: "[snort] Updated snort_stat.pl"
- Next in thread: Martin Roesch: "Re: [snort] zone transfer revisited"
- Reply: Martin Roesch: "Re: [snort] zone transfer revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello All,
I know there has been a lot of discussion on this list about DNS zone
transfers (more specifically Max Vision's IDS212 alert), but I was
wondering if anyone else could provide more information on the subject,
based on what I'm seeing on a client's network.
Some type of Windows web server is consistantly performing what looks
like normal UDP DNS queries:
11:24:24.426107 xxxxxxxx.com2663 > primaryDNS.domain: 19627+ PTR?
yy.yyy.yyy.yy.in-addr.arpa. (44)
11:24:24.538715 primaryDNS.domain > xxxxxxxxx.com.2663: 19627* 1/3/3 PTR
blah.blah.net. (227)
11:24:24.542386 xxxxxxxx.com.2664 > primaryDNS.domain: 19628+ PTR?
zzz.zzz.zzz.zz.in-addr.arpa. (45)
11:24:24.543499 primaryDNS.domain > xxxxxxxxxx.com.2664: 19628* 1/3/3
PTR blah2.com. (225)
etc...
And every couple seconds, Snort gives us IDS212 alerts from stuff like
this, just from the one address:
11:24:28.893680 xxxxxxxx.com.2670 > primaryDNS.domain: S
324876332:324876332(0) win 8192 <mss 1460> (DF)
11:24:28.893974 primaryDNS.domain > xxxxxxxxxx.com.2670: S
716155708:716155708(0) ack 324876333 win 32736 <mss 1460>
11:24:28.894120 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: . ack 1 win
8760 (DF)
11:24:28.894783 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: P 1:31(30)
ack 1 win 8760 (DF)
11:24:28.896051 primaryDNS.domain > xxxxxxxxxxxx.com.2670: P 1:163(162)
ack 31 win 32736 (DF)
11:24:28.896429 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: R
324876363:324876363(0) win 0 (DF)
Judging from the past mail, people have experienced the same thing, or
something similar. There were hints that a microsoft product will try
to do zone transfers, and set the alert off. Does anyone know what this
product is? My guess is that it's just misconfigured. Or, this could
be normal zone transfer traffic, and we are stuck sifting through it to
find actual alerts of concern.
I hope this is appropriate to post, and other people learn from what
answers may come forth.
Thanks,
-Joey M.
- Next message: Martin Roesch: "Re: [snort] networks under different CIDR blocks"
- Previous message: Andrew R. Baker: "[snort] Updated snort_stat.pl"
- Next in thread: Martin Roesch: "Re: [snort] zone transfer revisited"
- Reply: Martin Roesch: "Re: [snort] zone transfer revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]