That is exactly what I am trying to figure out. What is the meaning of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server makes a request a number is tagged to it, that way when the reply comes back it can match it up with the request. I just don't know what the meaning of 1au is. vjl -----Original Message----- From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private] Sent: Thursday, December 12, 2002 12:18 PM To: larosa, vjay Cc: incidentsat_private Subject: Re: DNS help On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjayat_private> said: > Hello, > > These packets were caught using a shadow IDS sensor. I was hoping that > somebody > in the list could help me understand what is happening below. I am familiar > with snort > and tcpdump, as well as the concept of packet fragmentation. I am mostly > interested in > finding out about the DNS requests being made, and why they are coming back > fragmented. Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way. Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more. > 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 > [1au][|domain] (DF) > 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: > 56162[|domain] (frag 48818:1480@0+) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 13:10:13 PST