LowRealSecure Server Sensor, RealSecure Desktop Protector, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, RealSecure Sentry, RealSecure Guard, BlackICE Agent for Server, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IPS:
This signature detects a zone transfer occurring from a source port greater than 1024.
This signature replaces DNS_Zone_High_Port.
Low
RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Network: 7.0, BlackICE Server Protection: 3.6.cbd, BlackICE PC Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE Agent for Server: 3.6, Proventia Desktop: 8.0.614.1, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0
Various vendors Any application, DNS DNS
Pre-attack Probe
A DNS zone transfer that originates from a non-privileged port number (above 1024) suggests that the zone transfer is occurring between your DNS server and a DNS client program, such as nslookup. Zone transfers contain a list of the systems on your network. Such information could be useful to an attacker in performing an attack.
Observe the source address, and watch for additional events originating at that address. Configure your DNS server to disallow zone transfers from systems other than the peer DNS servers it must participate with, or at least from non-privileged port numbers. If it is a standalone DNS server, disallow zone transfers entirely.
ISS X-Force
Microsoft DNS Server - DNS Zone Transfers from high ports
http://www.iss.net/security_center/static/1226.php