LowRealSecure Network, BlackICE Agent for Server, RealSecure Desktop Protector, RealSecure Server Sensor, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Sentry, RealSecure Guard, BlackICE PC Protection, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:
This signature detects a zone transfer occurring from a source port greater than 1024.
This signature replaces DNS_Zone_High_Port.
Low
RealSecure Network: 7.0, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE PC Protection: 3.6.cbd, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, RealSecure Desktop: baseline
Various vendors Any application, DNS DNS
Pre-attack Probe
A DNS zone transfer that originates from a non-privileged port number (above 1024) suggests that the zone transfer is occurring between your DNS server and a DNS client program, such as nslookup. Zone transfers contain a list of the systems on your network. Such information could be useful to an attacker in performing an attack.
Observe the source address, and watch for additional events originating at that address. Configure your DNS server to disallow zone transfers from systems other than the peer DNS servers it must participate with, or at least from non-privileged port numbers. If it is a standalone DNS server, disallow zone transfers entirely.
ISS X-Force
Microsoft DNS Server - DNS Zone Transfers from high ports
http://www.iss.net/security_center/static/1226.php