[Snort-users] Unknown alert

Joe Hill joehill at ...3945...
Thu Apr 3 16:33:16 EST 2003


I get this over and over in my alert log window:

[**] [1:254:2] DNS SPOOF query response with ttl: 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
04/03-18:31:27.612252 0:90:27:90:30:2E -> 0:90:27:90:32:6F type:0x800 len:0x5D
192.168.0.1:53 -> 192.168.0.10:32795 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:79 DF
Len: 59

The Snort definitions:

http://www.snort.org/snort-db/sid.html?id=254

show no info. Anyone have any offhand info on this?

Some info to provide context: I am running snort on my workstation (work??!!...riiiiiiiight), and my workstation is connected to a hub along with my wife's XP (shudder) box. The hub is then connected to my BBIAgent firewall (one o' those floppy distros) which provides firewall, NAT and port forwarding, and finally my DSL modem ("the leg bone's connected to the...red thing..." -Dr. Nick Riviera).

Am I just seeing traffic between the router and my wkstn? Is running snort on an internal network with this type of setup even going to see anything from the outside internet?

is this something like I am looking for to exclude known or innocuous alerts?

      # DNS_SERVERS holds the addresses of "noisy" computers like DNS or NWM
      # to be ignored from portscans
      var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32]

reading the docs as we speak...







More information about the Snort-users mailing list