Re: reading signatures?

[robert_david_graham () yahoo com (Robert Graham)]

--- matthew.fearnow () mcp com wrote:
> Can anyone give me some insight into what this means?
>
> 14:17:51.220753 myhost.here.com.9999 > othersite.there.com.53: 1205+ (45) 
> 14:17:51.718414 myhost.here.com.9999 > othersite.there.com.53: 1205+ (45)
> 14:42:49.550408 myhost.here.com.9999 > anothersite.there.com.53: 1194+ (45)
> Thanks,
> Matt

This is really not enough info to make a guess. Port 53 is DNS, so the question
should be phrased as "why is myhost.here.com making DNS requests to
othersite.there.com and anothersite.there.com?"

Possible reasons include:
* myhost.here.com is a DNS server, and is making normal attempts to resolve
names
* myhost.here.com is not a DNS server, but is still trying to resolve names for
its own use. This is extremely rare, because most hosts are configured to go
through a local DNS server.
* myhost.here.com is compromised with a rootkit, and is using DNS as a covert
channel, since many firewalls don't log it.

Speaking of which, why is your firewall logging this traffic? Is your firewall,
in fact, filtering out this outgoing DNS traffic? Maybe you have a firewall
rule configured to allowing outgoing DNS only from your DNS server, and
myhost.here.com is not configured to use it.

Another thing to do is setup a sniffer (tcdump, NAI sniffer, etc.) and capture
all these frames. This would clearly indicate if this is being used as a covert
channel. IDS systems (which is what this group is about) should also trigger on
non-DNS traffic going over port 53.

Rob.

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com