[Snort-users] Strange traffic?

Erek Adams erek at ...577...
Wed Sep 26 08:33:02 EDT 2001


On Wed, 26 Sep 2001, Vjay LaRosa wrote:

> Can some one help me here. I can't think of any reason that I would be
> seeing this traffic.
>
> 09/26-09:10:17.709508  [**] [1:0:0] TFTP Traffic [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:53 -> X.X.X.X:69

Looks like someone is trying to scan your net for TFTP servers.  Using a
source port of 53 is a common method to bypass poorly configured firewalls.

> Why would there be a TFTP session using the source port for DNS? Any
> ideas would be appreciated. Thanks!

Good reason?  Don't have one.  Bad Reason:  Someone's pokin' at ya!  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list