[Snort-users] DNS traffic or portscan?

McCammon, Keith Keith.McCammon at ...3497...
Tue Feb 26 11:42:17 EST 2002


Try running Snort with the -d option set to decode the application-later
data.  That will give you some more detailed information.  Also, set the
DNS_SERVERS variable in your snort.conf file, if you have not done so
already, which will ignore most false-positives generated by name server
queries.

As I mentioned, this information doesn't tell us anything about the
nature of the traffic; it only tells us where it came from and where
it's going, which isn't much help.  At first glance, however, I can tell
you that it looks relatively normal.

Cheers

Keith

-----Original Message-----
From: spyguy703 [mailto:spyguy703 at ...131...]
Sent: Tuesday, February 26, 2002 2:29 PM
To: McCammon, Keith; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] DNS traffic or portscan?


On Tuesday 26 February 2002 11:28 am, McCammon, Keith wrote:

Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP 
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP 
Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP 
Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP 
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP 
Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP 
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP 
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP 
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP 
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP 
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP 
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP 
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP 
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP


There's the data.
I am aware that what I am providing is limited. But that is all I have.

DNS Server is outside FW on some other network. SNORT is NOT running on
same 
net. Sorry if I confused.




More information about the Snort-users mailing list