NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: Re: [snort] zone transfer revisited
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 06 2000 - 17:26:50 CST

Next message: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
Previous message: Martin Roesch: "Re: [snort] Updated snort_stat.pl"
In reply to: Joey McAlerney: "[snort] zone transfer revisited"
Next in thread: Joey McAlerney: "Re: [snort] zone transfer revisited"
Reply: Martin Roesch: "Re: [snort] zone transfer revisited"
Reply: Joey McAlerney: "Re: [snort] zone transfer revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Joey,
It could be a misconfigured WINS server, or any number of other
goofy Windows problems. Do you know what's at the address that's
setting off the alerts?

-Marty

Joey McAlerney wrote:
>
> Hello All,
>
> I know there has been a lot of discussion on this list about DNS zone
> transfers (more specifically Max Vision's IDS212 alert), but I was
> wondering if anyone else could provide more information on the subject,
> based on what I'm seeing on a client's network.
>
> Some type of Windows web server is consistantly performing what looks
> like normal UDP DNS queries:
>
> 11:24:24.426107 xxxxxxxx.com2663 > primaryDNS.domain: 19627+ PTR?
> yy.yyy.yyy.yy.in-addr.arpa. (44)
> 11:24:24.538715 primaryDNS.domain > xxxxxxxxx.com.2663: 19627* 1/3/3 PTR
> blah.blah.net. (227)
> 11:24:24.542386 xxxxxxxx.com.2664 > primaryDNS.domain: 19628+ PTR?
> zzz.zzz.zzz.zz.in-addr.arpa. (45)
> 11:24:24.543499 primaryDNS.domain > xxxxxxxxxx.com.2664: 19628* 1/3/3
> PTR blah2.com. (225)
> etc...
>
> And every couple seconds, Snort gives us IDS212 alerts from stuff like
> this, just from the one address:
>
> 11:24:28.893680 xxxxxxxx.com.2670 > primaryDNS.domain: S
> 324876332:324876332(0) win 8192 <mss 1460> (DF)
> 11:24:28.893974 primaryDNS.domain > xxxxxxxxxx.com.2670: S
> 716155708:716155708(0) ack 324876333 win 32736 <mss 1460>
> 11:24:28.894120 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: . ack 1 win
> 8760 (DF)
> 11:24:28.894783 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: P 1:31(30)
> ack 1 win 8760 (DF)
> 11:24:28.896051 primaryDNS.domain > xxxxxxxxxxxx.com.2670: P 1:163(162)
> ack 31 win 32736 (DF)
> 11:24:28.896429 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: R
> 324876363:324876363(0) win 0 (DF)
>
> Judging from the past mail, people have experienced the same thing, or
> something similar. There were hints that a microsoft product will try
> to do zone transfers, and set the alert off. Does anyone know what this
> product is? My guess is that it's just misconfigured. Or, this could
> be normal zone transfer traffic, and we are stuck sifting through it to
> find actual alerts of concern.
>
> I hope this is appropriate to post, and other people learn from what
> answers may come forth.
>
> Thanks,
>
> -Joey M.

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

Next message: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
Previous message: Martin Roesch: "Re: [snort] Updated snort_stat.pl"
In reply to: Joey McAlerney: "[snort] zone transfer revisited"
Next in thread: Joey McAlerney: "Re: [snort] zone transfer revisited"
Reply: Martin Roesch: "Re: [snort] zone transfer revisited"
Reply: Joey McAlerney: "Re: [snort] zone transfer revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]