|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] zone transfer revisited
From: Joey McAlerney (joey
SiliconDefense.com)Date: Mon Mar 06 2000 - 18:46:29 CST
- Next message: Andrew R. Baker: "Re: [snort] Updated snort_stat.pl"
- Previous message: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
- In reply to: Martin Roesch: "Re: [snort] zone transfer revisited"
- Reply: Joey McAlerney: "Re: [snort] zone transfer revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Found out it's an IIS server running about 150 domains. Does IIS like to
pretend it's a secondary DNS server?
-Joey
Martin Roesch wrote:
> Hi Joey,
> It could be a misconfigured WINS server, or any number of other
> goofy Windows problems. Do you know what's at the address that's
> setting off the alerts?
>
> -Marty
>
> Joey McAlerney wrote:
> >
> > Hello All,
> >
> > I know there has been a lot of discussion on this list about DNS zone
> > transfers (more specifically Max Vision's IDS212 alert), but I was
> > wondering if anyone else could provide more information on the subject,
> > based on what I'm seeing on a client's network.
> >
> > Some type of Windows web server is consistantly performing what looks
> > like normal UDP DNS queries:
> >
> > 11:24:24.426107 xxxxxxxx.com2663 > primaryDNS.domain: 19627+ PTR?
> > yy.yyy.yyy.yy.in-addr.arpa. (44)
> > 11:24:24.538715 primaryDNS.domain > xxxxxxxxx.com.2663: 19627* 1/3/3 PTR
> > blah.blah.net. (227)
> > 11:24:24.542386 xxxxxxxx.com.2664 > primaryDNS.domain: 19628+ PTR?
> > zzz.zzz.zzz.zz.in-addr.arpa. (45)
> > 11:24:24.543499 primaryDNS.domain > xxxxxxxxxx.com.2664: 19628* 1/3/3
> > PTR blah2.com. (225)
> > etc...
> >
> > And every couple seconds, Snort gives us IDS212 alerts from stuff like
> > this, just from the one address:
> >
> > 11:24:28.893680 xxxxxxxx.com.2670 > primaryDNS.domain: S
> > 324876332:324876332(0) win 8192 <mss 1460> (DF)
> > 11:24:28.893974 primaryDNS.domain > xxxxxxxxxx.com.2670: S
> > 716155708:716155708(0) ack 324876333 win 32736 <mss 1460>
> > 11:24:28.894120 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: . ack 1 win
> > 8760 (DF)
> > 11:24:28.894783 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: P 1:31(30)
> > ack 1 win 8760 (DF)
> > 11:24:28.896051 primaryDNS.domain > xxxxxxxxxxxx.com.2670: P 1:163(162)
> > ack 31 win 32736 (DF)
> > 11:24:28.896429 xxxxxxxxxxxx.com.2670 > primaryDNS.domain: R
> > 324876363:324876363(0) win 0 (DF)
> >
> > Judging from the past mail, people have experienced the same thing, or
> > something similar. There were hints that a microsoft product will try
> > to do zone transfers, and set the alert off. Does anyone know what this
> > product is? My guess is that it's just misconfigured. Or, this could
> > be normal zone transfer traffic, and we are stuck sifting through it to
> > find actual alerts of concern.
> >
> > I hope this is appropriate to post, and other people learn from what
> > answers may come forth.
> >
> > Thanks,
> >
> > -Joey M.
>
> --
> Martin Roesch <roeschhiverworld.com>
> Director of Forensic Systems http://www.hiverworld.com
> Hiverworld, Inc. Enterprise Network Security
> Network Forensics, Intrusion Detection and Risk Assessment
- Next message: Andrew R. Baker: "Re: [snort] Updated snort_stat.pl"
- Previous message: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
- In reply to: Martin Roesch: "Re: [snort] zone transfer revisited"
- Reply: Joey McAlerney: "Re: [snort] zone transfer revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]