[Snort-users] dns servers

snortlst snortlst snortlst at ...125...
Fri Oct 19 11:56:09 EDT 2001


I see in the snort alert file a lot of entries like that:
dns server1 > firewall > ICMP unreachable
dns server2 > firewall > ICMP unreachable

(those are AT&T dns servers that are listed in DNS_SERVERS in snort.conf)
Questions:
1. Why I do receive those messages? (They're supposed to be ignored because
of the DNS_SERVERS entry in snort.conf, right?)
2. Do you have any idea why dns severs send icmp traffic to our firewall?
(the're supposed to be talking udp-53 and that's it...)

Thanks.





More information about the Snort-users mailing list