Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: John Sage (jsagefinchhaven.com)
Date: Fri Dec 14 2001 - 23:12:18 CST
David E. Gianndrea wrote:
> Could some one explain what this alert means.
> DNS SPOOF query response with ttl: 1 min. and no authority
A DNS query response would be expected to return name server records for
the subject of the query; then the nameserver queried would be said to
be "authoritative" for the subject.
Whatever you've received had no authoritative records.
The output of snort played back from a binary log of mine has this:
20:02:36.534182 22.214.171.124.domain > 126.96.36.199.1025: [udp sum ok]
21427* q: PTR? 57.0/188.8.131.52.in-addr.arpa. 1/3/3
The 1/3/3 indicate this response had one answer record, three
authoritative records, and three additional records
For this snort rule (and one other in dns.rules) the lack of any
authority records, combined with a TTL of 1 represents the problem.
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: