At 3:18 PM +0100 9/1/00, Fernando Cardoso wrote:
>I guess you are used to see (as I am) lots of AXFRs from all places. Usually
>they came along with bind.version queries since the named NXT bug scripts
>are still hot 3lee7 stuff. They don't cause any problem except for a couple
>lines in my logs and, sometimes, a message to the tech contact of a
>compromised machine (hello .kr!!).
>
>Yesterday, another AXFR try was made. This time from Canada:
>ts1-193.mtrl.ca.ziplink.net
>
>My IDS logged the try:
>
>[**] IDS212/dns-zone-transfer [**]
>08/31-17:19:10.789779 165.154.200.193:21368 -> my.name.server:53
>TCP TTL:109 TOS:0x0 ID:44578 DF
>*****PA* Seq: 0xB4A43A Ack: 0xE367A43 Win: 0x2000
>00 17 86 39 01 00 00 01 00 00 00 00 00 00 02 62 ...9...........b
>6E 02 70 74 00 00 0F 00 01 n.pt.....
>
>Nothing new here... What is strange is that nothing was logged in the
>nameserver!! I've tried zone transfers with dig, nslookup, host and even
>with Sam Spade and all of them left a log entry in the nameserver (bind
>8.2.2-P5).
Actually, looking at your packet dump, it is not a zone transfer. It
is a query for MX of bn.pt. You can read about the structure of DNS
packets in RFC 1035 (ftp://ftp.is.co.za/rfc/rfc1035.txt).
I recently posted to the Snort-users mailing list about possible
improvements to the arachNIDS signature for zone transfers. In short
look for 0xFC past byte 13. See
http://www.geocrawler.com/archives/3/4890/2000/8/0/4258922/ for my
post.
Kind regards,
Jim
--
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland_at_SiliconDefense.com *|
|* Voice: (707) 445-4355 x13 Fax: (707) 826-7571 *|
Received on Sep 02 2000
Intro
