[Snort-users] Name resolution

John Sage jsage at ...2022...
Fri May 18 09:56:28 EDT 2001


Subba Rao wrote:

> Hi,
> This is going to be a very basic question. I do see (on daily basis) attempts
> to connect to the sunrpc services (port 111). When I try to resolve the IP
> address, I always get,
> *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain 
> How are these hackers conducting the hacks? They should get some response back
> from my machine. If their host/domain does not exist, then where are the
> replies from my system going?

If you really want to determine as much as you can about who/where/what these
IP's are, you need to use whois services at one of these:

ARIN: ttp://whois.arin.net/whois/index.html

Europe: http://www.ripe.net/cgi-bin/whois

Asia/Pacific generally: http://www.apnic.net/

Japan NIC:  http://whois.nic.ad.jp/cgi-bin/whois_gw

Korea NIC: http://www.nic.or.kr/www/english/

Taiwan NIC: http://www.twnic.net/English/Index.htm

Internic: http://www.internic.net/whois.html

The appropriate whois service will get you to the netblock holder, and in
many cases get you down to the specific administrative level of the domain..

I've found that all URI's with more than the domain.tld (ie: server.domain.tld)
will never resolve from an IP address under my local nslookup.


- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

More information about the Snort-users mailing list