Intrusion Detection Systems mailing list archives

RE: reading signatures?

From: rgula () network-defense com (Ron Gula)
Date: Wed, 27 Oct 1999 22:00:54 -0700



It may be useful to grab some packet payload data. If the payload
is real DNS traffic, then it could be a broken DNS server. Also,
I'm not sure if you said that these packets were UDP or TCP, but
if they were UDP then sending to .0 or .255 may be a way to solicit
responses from an entire network with only one packet. Of course
this could also be traffic from a poorly configured DNS server.

Ron Gula
Network Security Wizards

matthew.fearnow () mcp com wrote:-----------------------

No, atleast I dont think so.  This was sustained activity for about 1
hour,
(or until I pulled the plug on the machine.)  I really think it was
someone
port scanning for dns servers.  But what I dont get is the : 1205+ (45) at
the end of it.  And it was fast, so it is obviously a script.  Here is a
better example:

14:18:36.148999 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.188602 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.756601 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:36.803255 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:37.671712 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:37.783548 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.276469 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.346480 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:38.747676 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.908229 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:39.585781 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.107080 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.397962 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.612117 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:40.659457 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:41.732946 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:41.952114 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.292261 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.369584 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.772469 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.772562 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.892015 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.944009 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.993064 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)

14:41:55.202938 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:55.371552 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:55.652843 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.025792 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.481790 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.539961 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.598891 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.645087 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.680081 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.761283 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.795913 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:57.094019 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.175700 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.661521 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.695545 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:58.022902 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)

Current thread:

Re: Problem in snort 1.3, (continued)
- - Re: Problem in snort 1.3 Lance Spitzner (Oct 24)
    - Re: Problem in snort 1.3 Ron Gula (Oct 25)
  - Re: Problem in snort 1.3 Martin Roesch (Oct 25)
  - Traffic Lister, Justin (Oct 25)
  - Comparison of several IDS Lister, Justin (Oct 25)
- Re: reading signatures? H D Moore (Oct 24)
- RE: reading signatures? matthew.fearnow () mcp com (Oct 22)
  - RE: reading signatures? Kim Robert Blix (Oct 25)
- Re: reading signatures? Robert Graham (Oct 22)
- RE: reading signatures? Alex.Senkevitch () midata com (Oct 27)
  - RE: reading signatures? Ron Gula (Oct 27)