35.467634 151.164.1.8
04/09-23:18:35.467634 151.164.1.8:53 -> 208.188.225.121:1492UDP TTL:246 TOS:0x0 ID:35890 DFLen: 17507 11 81 80 00 01 00 01 00 02 00 02 03 32 32 35 ...22503 31 38 38 03 32 30 38 07 69 6E 2D 61 64 64 72 .188.208.in-addr04 61 72 70 61 00 00 06 00 01 C0 0C 00 06 00 01 .arpa...00 00 1A F3 00 31 03 6E 73 31 06 73 77 62 65 6C ...1.ns1.swbel6C 03 6E 65 74 00 0A 70 6F 73 74 6D 61 73 74 65 l.net..postmaste72 C0 3A 0B EA 5F 5A 00 00 0E 10 00 00 03 84 00 r.:.._Z...09 3A 80 00 00 0E 10 C0 0C 00 02 00 01 00 00 1A .:...F3 00 02 C0 36 C0 0C 00 02 00 01 00 00 1A F3 00 ....6...06 03 6E 73 32 C0 3A C0 36 00 01 00 01 00 00 1C ..ns2.:.6...20 00 04 97 A4 01 01 C0 81 00 01 00 01 00 00 1C ...20 00 04 97 A4 01 07 ...
IDIC - SANS GIAC LevelTwo
©2000, 20016
Older BIND 4 server to server communications used source port 53. Some poorly implemented perimeter systems allow anything with source port 53 through. This false positive also shows the danger of detection on a single packet as opposed to watching the whole stream. According to one of the GCIA students, FTPcmp99 opens up an FTP server on your Windows 95/98/NT system. The FTP server registers itself under the key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunObviously the default port must be 1492. So this is wired into a Snort rule, and it lights off when it sees this packet.The analyst takes one look at the asciification on the right and says, hmmm, source port 53 to 1492. 1492 is a perfectly reasonable ephemeral source port. This could be a DNS response, not a stimulus. Judging from the fact that it looks like a DNS reply duck and quacks like a DNS reply duck, the analyst prefers this answer to the possible trojan.