OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [snort] DNS lookups too sensitive...or are these attacks??
From: James McLaughlin (katanamontrose.net)
Date: Thu Mar 30 2000 - 12:52:07 CST

Since this is my first morning waking up to a SNORT log...I am not sure what
to think...either we are getting slammed or SNORT is very sensitive to DNS
lookups...can someone shed some light on this?

i just got Snort working last night and messed with the rules a bit.
here is a copy of my general snort-lib

# Generic Rules taken from snort-lib modified for my personal testing.
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source
routed packet";)
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source
routed packet";)
#Wanted to log some things to see the output--first time using SNORT
log tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed
packet";)
log tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed
packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed
packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed
packet";)

My var $HOME_NET is set to <xxx.xxx.xxx.0/24> is that correct?

alert tcp any any -> $HOME_NET 21 (flags: PA; content: "USER "; nocase;
offset:0; depth:5; content: " "; offset:11; depth:1; conten\
t: " "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg:
"PrettyPark activity!";)

A buddy and I went through these this morning (there were quite a few)
Since the port it is going through off of the server is bound to named we
are guessing that it is logging the lookups that are odd? Is that right???

I would like to be sure though, I got a nice list built up of the alerts
that were sent to my log files this morning. Here is a list of the
associted "trojans" and "strange activity"

[**] Trojan Cow [**]
03/30-06:18:39.959500 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x101
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:2001 UDP TTL:64 TOS:0x0 ID:50654
Len: 223

[**] Psyber Stream [**]
03/30-07:08:46.409686 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xA3
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1170 UDP TTL:64 TOS:0x0 ID:53155
Len: 129

[**] FTP99cmp [**]
03/30-07:40:07.873111 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xE0
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1492 UDP TTL:64 TOS:0x0 ID:55806
Len: 190

****************************************************************************
************************

Those are the only alerts that showed up.

Here are the actual logs that showed up in UDP:
****************************************************************************
*************************

[**] Trojan Cow [**]
03/30-06:18:39.959500 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x101
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:2001 UDP TTL:64 TOS:0x0 ID:50654
Len: 223
00 01 81 80 00 01 00 01 00 04 00 04 04 6D 61 69 .............mai
6C 08 6D 6F 6E 74 72 6F 73 65 03 6E 65 74 00 00 l.montrose.net..
01 00 01 C0 0C 00 01 00 01 00 00 58 9F 00 04 CC ...........X....
85 C3 05 08 4D 4F 4E 54 52 4F 53 45 03 4E 45 54 ....MONTROSE.NET
00 00 02 00 01 00 00 E0 9A 00 0C 03 6E 73 32 05 ............ns2.
71 77 65 73 74 C0 3C C0 33 00 02 00 01 00 00 E0 qwest.<.3.......
9A 00 06 03 6E 73 31 C0 4F C0 33 00 02 00 01 00 ....ns1.O.3.....
00 E0 9A 00 10 03 6E 73 31 06 6F 63 6B 65 72 73 ......ns1.ockers
03 6F 72 67 00 C0 33 00 02 00 01 00 00 E0 9A 00 .org..3.........
06 03 6E 73 31 C0 33 C0 4B 00 01 00 01 00 01 11 ..ns1.3.K.......
C5 00 04 CD AB 10 FA C0 63 00 01 00 01 00 01 11 ........c.......
C5 00 04 D8 6F 41 D9 C0 75 00 01 00 01 00 02 21 ....oA..u......!
6B 00 04 C6 F3 7E 7A C0 91 00 01 00 01 00 00 E0 k....~z.........
9A 00 04 CC 85 C3 02 .......

[**] Trojan Cow [**]
03/30-08:57:00.307038 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x1EF
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:2001 UDP TTL:64 TOS:0x0 ID:64319
Len: 461
00 02 81 80 00 01 00 02 00 09 00 09 01 6D 0B 64 .............m.d
6F 75 62 6C 65 63 6C 69 63 6B 03 6E 65 74 00 00 oubleclick.net..
01 00 01 C0 0C 00 05 00 01 00 00 01 2C 00 15 03 ............,...
6D 64 31 0B 64 6F 75 62 6C 65 63 6C 69 63 6B 03 md1.doubleclick.
6E 65 74 00 C0 2F 00 01 00 01 00 00 00 76 00 04 net../.......v..
D0 B8 1D 14 C0 2F 00 02 00 01 00 00 01 2C 00 0D ...../.......,..
0A 64 63 6E 79 6D 64 67 64 73 31 C0 33 C0 2F 00 .dcnymdgds1.3./.
02 00 01 00 00 01 2C 00 0D 0A 61 6E 6E 79 6D 64 ......,...annymd
67 64 73 31 C0 33 C0 2F 00 02 00 01 00 00 01 2C gds1.3./.......,
00 0D 0A 65 78 6E 6A 6D 64 67 64 73 31 C0 33 C0 ...exnjmdgds1.3.
2F 00 02 00 01 00 00 01 2C 00 0D 0A 63 77 76 61 /.......,...cwva
6D 64 67 64 73 31 C0 33 C0 2F 00 02 00 01 00 00 mdgds1.3./......
01 2C 00 0D 0A 75 75 76 61 6D 64 67 64 73 31 C0 .,...uuvamdgds1.
33 C0 2F 00 02 00 01 00 00 01 2C 00 0D 0A 61 6E 3./.......,...an
76 61 6D 64 67 64 73 31 C0 33 C0 2F 00 02 00 01 vamdgds1.3./....
00 00 01 2C 00 0D 0A 62 62 76 61 6D 64 67 64 73 ...,...bbvamdgds
31 C0 33 C0 2F 00 02 00 01 00 00 01 2C 00 0D 0A 1.3./.......,...
75 75 63 61 6D 64 67 64 73 31 C0 33 C0 2F 00 02 uucamdgds1.3./..
00 01 00 00 01 2C 00 0D 0A 61 6E 63 61 6D 64 67 .....,...ancamdg
64 73 31 C0 33 C0 60 00 01 00 01 00 00 0E 10 00 ds1.3.`.........
04 CC FD 68 CA C0 79 00 01 00 01 00 00 0E 10 00 ...h..y.........
04 D0 B8 1D F5 C0 92 00 01 00 01 00 00 0E 10 00 ................
04 D1 43 26 16 C0 AB 00 01 00 01 00 00 0E 10 00 ..C&............
04 CD 8A 03 F0 C0 C4 00 01 00 01 00 00 0E 10 00 ................
04 CC B2 70 B6 C0 DD 00 01 00 01 00 00 0E 10 00 ...p............
04 D1 F9 E7 29 C0 F6 00 01 00 01 00 00 0E 10 00 ....)...........
04 80 0B 3C 4B C1 0F 00 01 00 01 00 00 0E 10 00 ...<K...........
04 CC B2 70 7C C1 28 00 01 00 01 00 00 0E 10 00 ...p|.(.........
04 D1 F9 E7 17 .....

[**] Psyber Stream [**]
03/30-05:50:30.997666 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x88
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1170 UDP TTL:64 TOS:0x0 ID:49814
Len: 102
00 02 85 80 00 01 00 04 00 00 00 00 04 61 72 63 .............arc
35 03 6D 73 6E 03 63 6F 6D 00 00 01 00 01 C0 0C 5.msn.com.......
00 01 00 01 00 00 0E 10 00 04 CF 2E BC 49 C0 0C .............I..
00 01 00 01 00 00 0E 10 00 04 CF 2E D0 C4 C0 0C ................
00 01 00 01 00 00 0E 10 00 04 CF 2E D0 C5 C0 0C ................
00 01 00 01 00 00 0E 10 00 04 CF 2E D0 C6 ..............

[**] Psyber Stream [**]
03/30-07:08:46.409686 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xA3
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1170 UDP TTL:64 TOS:0x0 ID:53155
Len: 129
00 01 85 83 00 01 00 00 00 01 00 00 02 31 30 03 .............10.
32 30 30 03 32 35 35 02 31 30 07 69 6E 2D 61 64 200.255.10.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01 02 31 30 07 dr.arpa......10.
49 4E 2D 41 44 44 52 04 41 52 50 41 00 00 06 00 IN-ADDR.ARPA....
01 00 01 51 80 00 32 09 62 6C 61 63 6B 68 6F 6C ...Q..2.blackhol
65 03 69 73 69 03 65 64 75 00 08 62 6D 61 6E 6E e.isi.edu..bmann
69 6E 67 C0 51 01 30 BD AE 00 00 2A 30 00 00 03 ing.Q.0....*0...
84 00 09 3A 80 00 01 51 80 ...:...Q.

[**] Psyber Stream [**]
03/30-10:03:05.147680 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x8F
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1170 UDP TTL:64 TOS:0x0 ID:10312
Len: 109
00 07 85 83 00 01 00 00 00 01 00 00 03 77 77 77 .............www
04 6E 69 6E 6F 08 70 68 69 6C 6C 69 70 73 03 63 .nino.phillips.c
6F 6D 00 00 01 00 01 08 70 68 69 6C 6C 69 70 73 om......phillips
03 63 6F 6D 00 00 06 00 01 00 01 51 80 00 26 02 .com.......Q..&.
6E 73 C0 27 0A 68 6F 73 74 6D 61 73 74 65 72 C0 ns.'.hostmaster.
27 01 31 2D CA 00 00 2A 30 00 00 0E 10 00 36 EE '.1-...*0.....6.
80 00 01 51 80

[**] Ultors Trojan [**]
03/30-08:57:54.093135 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xC3
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1234 UDP TTL:64 TOS:0x0 ID:226
Len: 161
00 33 81 80 00 01 00 02 00 02 00 02 03 77 77 77 .3...........www
04 67 69 66 73 03 6E 65 74 00 00 01 00 01 C0 0C .gifs.net.......
00 05 00 01 00 00 A9 66 00 0F 04 67 69 66 73 04 .......f...gifs.
67 69 66 73 03 6E 65 74 00 C0 2A 00 01 00 01 00 gifs.net..*.....
00 A9 66 00 04 CE B9 08 B6 C0 2F 00 02 00 01 00 ..f......./.....
01 FA E6 00 0C 05 4F 52 49 4F 4E 03 41 59 45 C0 ......ORION.AYE.
34 C0 2F 00 02 00 01 00 01 FA E6 00 0C 09 43 41 4./...........CA
53 53 49 4F 50 49 41 C0 5B C0 55 00 01 00 01 00 SSIOPIA.[.U.....
01 FA E6 00 04 C6 07 C0 02 C0 6D 00 01 00 01 00 ..........m.....
01 FA E6 00 04 C6 07 C0 03 .........

[**] Ultors Trojan [**]
03/30-09:48:01.951235 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x69
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1234 UDP TTL:64 TOS:0x0 ID:9368
Len: 71
00 07 85 80 00 01 00 02 00 00 00 00 03 77 77 77 .............www
07 6E 65 77 73 6D 61 78 03 63 6F 6D 00 00 01 00 .newsmax.com....
01 C0 0C 00 05 00 01 00 00 0E 10 00 02 C0 10 C0 ................
2D 00 01 00 01 00 00 0E 10 00 04 D8 2E EE 22 -............."

[**] Ultors Trojan [**]
03/30-10:49:25.731452 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x3B
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1234 UDP TTL:64 TOS:0x0 ID:23859
Len: 25
00 46 81 82 00 01 00 00 00 00 00 00 00 03 6E 65 .F............ne
74 t

[**] Shivka-Burka [**]
03/30-11:21:13.557791 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xB6
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1600 UDP TTL:64 TOS:0x0 ID:36251
Len: 148
00 23 81 80 00 01 00 01 00 02 00 02 03 77 77 77 .#...........www
08 61 73 69 61 6E 6B 69 74 03 63 6F 6D 00 00 01 .asiankit.com...
00 01 C0 0C 00 01 00 01 00 01 4E 51 00 04 CF 88 ..........NQ....
50 C9 08 41 53 49 41 4E 4B 49 54 03 43 4F 4D 00 P..ASIANKIT.COM.
00 02 00 01 00 02 9F D1 00 0F 04 43 4E 53 32 07 ...........CNS2.
49 44 49 52 45 43 54 C0 3B C0 32 00 02 00 01 00 IDIRECT.;.2.....
02 9F D1 00 07 04 43 4E 53 31 C0 4F C0 4A 00 01 ......CNS1.O.J..
00 01 00 02 9F D1 00 04 CF 88 50 12 C0 65 00 01 ..........P..e..
00 01 00 02 9F D1 00 04 CF 88 42 14 ..........B.

[**] FTP99cmp [**]
03/30-06:28:22.143762 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xC1
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1492 UDP TTL:64 TOS:0x0 ID:51015
Len: 159
00 05 85 80 00 01 00 01 00 02 00 02 08 67 6F 2D .............go-
67 6F 2D 67 6F 0A 76 69 72 74 75 61 6C 61 76 65 go-go.virtualave
03 6E 65 74 00 00 01 00 01 C0 0C 00 01 00 01 00 .net............
01 51 80 00 04 D0 92 2D 1F 0A 76 69 72 74 75 61 .Q.....-..virtua
6C 61 76 65 03 6E 65 74 00 00 02 00 01 00 01 51 lave.net.......Q
80 00 12 03 6E 73 31 0B 66 72 65 65 76 69 72 74 ....ns1.freevirt
75 61 6C C0 44 C0 39 00 02 00 01 00 01 51 80 00 ual.D.9......Q..
06 03 6E 73 32 C0 57 C0 53 00 01 00 01 00 01 51 ..ns2.W.S......Q
80 00 04 D0 92 2D 04 C0 71 00 01 00 01 00 01 51 .....-..q......Q
80 00 04 D0 92 2D 05 .....-.

[**] FTP99cmp [**]
03/30-07:40:07.873111 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0xE0
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1492 UDP TTL:64 TOS:0x0 ID:55806
Len: 190
00 01 85 80 00 01 00 01 00 02 00 02 02 32 31 03 .............21.
31 35 36 03 32 31 39 03 32 30 32 07 69 6E 2D 61 156.219.202.in-a
64 64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 ddr.arpa........
0C 00 01 00 01 51 80 00 1B 07 63 73 31 31 39 30 .....Q....cs1190
35 03 70 70 70 07 69 6E 66 6F 77 65 62 02 6E 65 5.ppp.infoweb.ne
02 6A 70 00 03 31 35 36 03 32 31 39 03 32 30 32 .jp..156.219.202
07 69 6E 2D 61 64 64 72 04 61 72 70 61 00 00 02 .in-addr.arpa...
00 01 00 01 51 80 00 0C 02 6E 73 03 77 65 62 02 ....Q....ns.web.
61 64 C0 50 C0 54 00 02 00 01 00 01 51 80 00 06 ad.P.T......Q...
03 6E 73 32 C0 7B C0 78 00 01 00 01 00 01 51 80 .ns2.{.x......Q.
00 04 CA F8 02 C9 C0 90 00 01 00 01 00 01 51 80 ..............Q.
00 04 CA DB B1 79 .....y

[**] FTP99cmp [**]
03/30-11:13:17.952372 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
len:0x97
xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1492 UDP TTL:64 TOS:0x0 ID:35302
Len: 117
00 19 81 83 00 01 00 00 00 01 00 00 06 62 75 74 .............but
74 6F 6E 06 68 69 74 62 6F 78 03 63 6F 6D 00 00 ton.hitbox.com..
01 00 01 06 68 69 74 62 6F 78 03 63 6F 6D 00 00 ....hitbox.com..
06 00 01 00 00 0C 1B 00 34 03 6E 73 31 C0 23 0A ........4.ns1.#.
68 6F 73 74 6D 61 73 74 65 72 0C 77 65 62 73 69 hostmaster.websi
64 65 73 74 6F 72 79 C0 2A 77 36 14 8A 00 00 70 destory.*w6....p
80 00 00 0E 10 00 09 3A 80 00 00 0E 10 .......:.....

I am very new to analyzing logs..I get the general concept of <from IP -->
<Another IP> and how the packets read...I am just trying to figure out why
and if snort is logging DNS lookups as Trojans...or are they really trojan
attempts on our customers or servers...

Thanks in Advance..

Katana