RE: DNS help

from the man pages of tcpdump:
src > dst: id op? flags qtype qclass name (len)

with the narrative explaining that:
If a query contains an answer, nameserver, or authorative section, ancount, nscount, or arcount are printed as [na], [nn], or [nau], where 'n' is the appropriate count.
Applying that to the 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
> [1au][|domain] (DF) data,

you have a source > destination: id of 56162 1 authority section domaintype with a Don't Frag flag. Again, if the SHADOW sensor is functioning properly, you should be able to apply tcpdump to the raw data and read the HEX output to see exactly what was in the packet.

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay@emc.com] Sent: Thursday, December 12, 2002 1:54 PM To: 'Valdis.Kletnieks@vt.edu'; larosa, vjay Cc: incidents@securityfocus.com
Subject: RE: DNS help

That is exactly what I am trying to figure out. What is the meaning of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server makes a request a number is tagged to it, that way when the reply comes back it can match it up with the request. I just don't know what the meaning of 1au is.

vjl

-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Thursday, December 12, 2002 12:18 PM To: larosa, vjay
Cc: incidents@securityfocus.com
Subject: Re: DNS help

On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay@emc.com> said:
> Hello,
familiar
> with snort
back
> fragmented.

Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more.

> 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162

> 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com