[Snort-users] DNS traffic or portscan?

spyguy703 spyguy703 at ...131...
Tue Feb 26 11:33:11 EST 2002


On Tuesday 26 February 2002 11:28 am, McCammon, Keith wrote:

Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP 
Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP 
Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP 
Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP


There's the data.
I am aware that what I am providing is limited. But that is all I have.

DNS Server is outside FW on some other network. SNORT is NOT running on same 
net. Sorry if I confused.

> Can you please post the data?  Given this information, there isn't much
> advice to be offered.
>
> And I don't even want to know why your snort management interface is on
> the same network as your public name server...

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list