[Snort-sigs] RE: [Snort-users] DNS Zone Transfer False Positive

Ron,

Okay, it looks like Snort implemented the signature matching correctly since there is a 00 00 FC near the bottom of the packet. (Always good to check that first since certain snort versions has content matching problems.)

This signature was not written with using DNS for anything other than address resolution in mind. So, it may false positive sometimes with non-address queries that use TCP (such as your example). It should be rewritten to make sure the query type is "A". I don't have time right now, but hopefully someone else can pick this up (hence the cross-post to snort-sig).

Best regards,

   Jim

At 12:46 PM -0600 3/26/03, Ron Shuck wrote:
>Hi,
>
>Using 1.9.0 still, and it was rev 6 of SID:255. -- No lectures please, I
>disabled RPC until I can upgrade -- ;-)
>I wasn't sure what the significance of the TKEY name was, so I
>obfuscated it along with the IP/Checksums.
>
>08:02:03.948630 MY.NET.113.149.2856 > MY.NET.100.21.domain: P [tcp sum
>ok] 3389545719:3389545992(273) ack 3366544751 win 17267 (DF) (ttl 127,
>id 13586, len 313)
>0x0000 4500 0139 3512 4000 7f06 5426 0000 7195 E..95.@.......q.
>0x0010 0000 6415 0b28 0035 ca08 5cf7 c8a9 656f ..d..(.5..\...eo
>0x0020 5018 4373 345f 0000 010f cf88 0000 0001 P.Cs............
>0x0030 0001 0000 0001 0000 0000 0000 0000 0000 .......XXXXXXXXX
>0x0040 3935 342d 3300 00f9 0001 0e00 0000 0000 954-3......XXXXX
>0x0050 0000 0000 3935 342d 3300 00f9 00ff 0000 XXXX954-3.......
>0x0060 0000 0088 0367 7373 096d 6963 726f 736f .....gss.microso
>0x0070 6674 0363 6f6d 003e 6360 403e 64b1 c000 ft.com.>c`@>d...
>0x0080 0300 0000 654e 544c 4d53 5350 0003 0000 ....eNTLMSSP....
>0x0090 0001 0001 0054 0000 0000 0000 0055 0000 .....T.......U..
>0x00a0 0000 0000 0040 0000 0000 0000 0040 0000 .....@.......@..
>0x00b0 0014 0014 0040 0000 0010 0010 0055 0000 .....@.......U..
>0x00c0 0015 8a88 e043 0045 004e 002d 0031 0030 .....C.E.N.-.1.0
>0x00d0 0037 002d 0031 0033 0000 a8bf 4a19 6e0a .7.-.1.3....J.n.
>0x00e0 6684 44f3 e21c 2b68 ed4c 0000 0e00 0000 f.D...+h.L...XXX
>0x00f0 0000 0000 0000 3935 342d 3300 00fa 00ff XXXXXX954-3.....
>0x0100 0000 0000 0033 0367 7373 096d 6963 726f .....3.gss.micro
>0x0110 736f 6674 0363 6f6d 0000 003e 6360 408c soft.com...>c`@.
>0x0120 a000 1001 0000 00fc 88a8 0101 288c b400 ............(...
>0x0130 0000 00cf 8800 0000 00 .........
>
>Best Regards,
>
>Ron Shuck, CISSP - Managing Consultant
>Buchanan Associates - A Technology Company in the People Business
>http://www.buchanan.com
>http://www.isc2.org
>
>-----Original Message-----
>From: James Hoagland [mailto:jim@SiliconDefense.com]
>Sent: Wednesday, March 26, 2003 10:46 AM
>To: Ron Shuck; snort-users@lists.sourceforge.net

-- 
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   
jim(at)SiliconDefense.com, 
http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs