[Snort-users] Weird alerts - false positive ?
attwell at ...461...
Mon Nov 6 17:30:52 EST 2000
On Mon, Nov 06, 2000 at 03:29:23PM +0100, Andreas Lindenblatt wrote:
> Hi Simon,
> > The alerts in most cases are sourced from my W2K host, and the destination
> > is a nameserver on my network, 21 and 53 are nameservers, 6 is the W2K box.
> IMHO this means that your x.x.x.53 tries to reach a port at your
> W2K-host that it's not allowed not access. Does your host on .53 handle
> mail? Most Mailers try to get information from the sender (auth, Port
> 113), which means your suspicious traffic should occur when you send or
> recieve mail.
.21 and .53 are nameservers only.
I wonder if its a response to a lookup in some strange way...
I have tcp dump of the ICMP DST UNRCH... but i'll turn on logging
for all traffic from .53 and .21 to the W2K host.
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...
Berbee... putting the E in business.
More information about the Snort-users