[Snort-users] Weird alerts - false positive ?

Simon Attwell attwell at ...461...
Mon Nov 6 17:30:52 EST 2000


On Mon, Nov 06, 2000 at 03:29:23PM +0100, Andreas Lindenblatt wrote:
> Hi Simon,
> 
> > The alerts in most cases are sourced from my W2K host, and the destination
> > is a nameserver on my network, 21 and 53 are nameservers, 6 is the W2K box.
> 
> IMHO this means that your x.x.x.53 tries to reach a port at your
> W2K-host that it's not allowed not access. Does your host on .53 handle
> mail? Most Mailers try to get information from the sender (auth, Port
> 113), which means your suspicious traffic should occur when you send or
> recieve mail.

.21 and .53 are nameservers only.
I wonder if its a response to a lookup in some strange way...
I have tcp dump of the ICMP DST UNRCH... but i'll turn on logging
for all traffic from .53 and .21 to the W2K host.

	- Simon

--
Simon Attwell
Systems Engineer
Berbee
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...

Berbee... putting the E in business.



More information about the Snort-users mailing list