[Snort-users] DNS traffic or portscan?

spyguy703 spyguy703 at ...131...
Tue Feb 26 11:31:05 EST 2002


I will try that. Some individuals have told me that snort is only seeing one 
side of regular DNS traffic and thus is showing up as a portscan.

possible? if so, what did i do wrong with snort?


On Tuesday 26 February 2002 11:24 am, Glenn Forbes Fleming Larratt wrote:
> It's not a sure thing, but, examining from stimulus-response perspective,
> it's mighty convenient that the source port numbers increment more or less
> sequentially - across, supposedly, two different source hosts. It's a
> reasonable possibility someone spoofed the addresses of win32host,
> snorthost, or both.
>
> Configuring Snort to log traffic to dns1.mydomain.com might help determine
> (a) source MAC addresses, to confirm or deny the spoofing theory,
> (b) contents of the DNS requests stimulating this response (DDNS? Cache
> poisoning? version.bind queries? etc.).
>
> 	-g
>
> On Tue, 26 Feb 2002, spyguy703 wrote:
> > Can someone please help me figure out what to make of this traffic that I
> > pulled from portscan.log?
> >
> > I had DNS admins checkout the DNS server and they are certain that it has
> > not been compromised and that no one is scanning me.
> >
> > "dns1.mydomain.com" is our DNS server on the internet
> > "win32host" is a windows host on the DMZ network (publicly routable IP)
> > "snorthost" is the management interface on the snort host that monitors
> > this network.
> >
> >
> > Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP
> > Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP
> > Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP
> > Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP
> > Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP
> > Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP
> > Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP
> > Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP
> > Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP
> > Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP
> > Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP
> > Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP
> > Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP
> > Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP
> > Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP
> > Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP
> > Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP
> > Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP
> > Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP
> > Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP
> > Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP
> > Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP
> > Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP
> > Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP
> > Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP
> > Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP
> > Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP
>
> 				Glenn Forbes Fleming Larratt
> 				Rice University Network Management
> 				glratt at ...604...
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list