Jason.Haartrimble.co.nz

• Next message: Steve Hutchins: "RE: [Snort-users] reputation"
• Previous message: Martin Roesch: "Re: [Snort-devel] Re: [Snort-users] Monday tweaks"
• Next in thread: Len Burns: "[Snort-users] CGI Null Byte Attack"
• Reply: Len Burns: "[Snort-users] CGI Null Byte Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm running bind 8.2.2-p5 (p7 now of course) and last week snort picked up
an IP address attempting a AXFR of our DNS data that wasn't our secondary.
Just cause I was bored I cross-checked it against named's syslog entries and
lo and behold! no corresponding "unapproved AXFR " entry!

I then logged into a ISP and attempted a AXFR myself - and was blocked - and
that was logged - so everything looks like it's working to me.

Looking some more, I see that there is an entry from named of:

named[15237]: unapproved update from [x.x.x.x].1242 for xxx

The timestamp matches the entry in snort for the AXFR - but the source port
number is 1243!

[From the contents of the packet I can tell it's an employee running
Windows2000 which has "update DNS" turned on - so it's no hacker].

So, should IDS212 match a DDNS packet as a AXFR, and why is the source port
number a few off that reported by named?

Does M$ DDS do some kind of 'update DNS and then AXFR DNS for "network
neighbourhood"' kind of thing?

-- 
Cheers
Jason Haar
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

• Next message: Steve Hutchins: "RE: [Snort-users] reputation"
• Previous message: Martin Roesch: "Re: [Snort-devel] Re: [Snort-users] Monday tweaks"
• Next in thread: Len Burns: "[Snort-users] CGI Null Byte Attack"
• Reply: Len Burns: "[Snort-users] CGI Null Byte Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]