[Snort-users] DNS traffic or portscan?

spyguy703 spyguy703 at ...131...
Tue Feb 26 11:16:08 EST 2002


Can someone please help me figure out what to make of this traffic that I 
pulled from portscan.log?

I had DNS admins checkout the DNS server and they are certain that it has not 
been compromised and that no one is scanning me.

"dns1.mydomain.com" is our DNS server on the internet
"win32host" is a windows host on the DMZ network (publicly routable IP)
"snorthost" is the management interface on the snort host that monitors this 
network.


Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP 
Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP 
Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP 
Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list