|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: John Sage (jsage
finchhaven.com)Date: Fri Dec 14 2001 - 23:12:18 CST
David:
David E. Gianndrea wrote:
> Could some one explain what this alert means.
>
> DNS SPOOF query response with ttl: 1 min. and no authority
A DNS query response would be expected to return name server records for
the subject of the query; then the nameserver queried would be said to
be "authoritative" for the subject.
Whatever you've received had no authoritative records.
The output of snort played back from a binary log of mine has this:
20:02:36.534182 209.192.217.105.domain > 12.82.128.69.1025: [udp sum ok]
21427* q: PTR? 57.0/24.67.28.64.in-addr.arpa. 1/3/3
The 1/3/3 indicate this response had one answer record, three
authoritative records, and three additional records
For this snort rule (and one other in dns.rules) the lack of any
authority records, combined with a TTL of 1 represents the problem.
- John
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]