[Snort-users] Strange traffic?

Thomas Whipp tkw at ...1885...
Wed Sep 26 08:52:02 EDT 2001

its a common technique for bypassing non-stateful filtering
routers which have to allow DNS replies in.
A similar question would be "why is a client using low ports
to make DNS requests?" so if possible it wouldn't hurt to
check the packet body or client system to see if it could
actually be DNS traffic.

-----Original Message-----
From: Vjay LaRosa [mailto:vjayl at ...3331...]
Sent: 26 September 2001 15:57
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Strange traffic?


Can some one help me here. I can't think of any reason that
I would be seeing this traffic. 

09/26-09:10:17.709508  [**] [1:0:0] TFTP Traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} X.X.X.X:53 -> X.X.X.X:69 

Why would there be a TFTP session using the source port for
DNS? Any ideas would be appreciated. Thanks! 



 V.Jay LaRosa                           EMC Corporation

 Systems Administrator                  171 South Street

 (508)435-1000 ext 14957                Hopkinton, MA 01748

 (508)497-8082 fax                      www.emc.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010926/0548d954/attachment.html>

More information about the Snort-users mailing list