Snort mailing list archives
Re: Strange traffic?
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 26 Sep 2001 08:32:03 -0700 (PDT)
On Wed, 26 Sep 2001, Vjay LaRosa wrote:
Can some one help me here. I can't think of any reason that I would be
seeing this traffic.
09/26-09:10:17.709508 [**] [1:0:0] TFTP Traffic [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:53 -> X.X.X.X:69
Looks like someone is trying to scan your net for TFTP servers. Using a source port of 53 is a common method to bypass poorly configured firewalls.
Why would there be a TFTP session using the source port for DNS? Any ideas would be appreciated. Thanks!
Good reason? Don't have one. Bad Reason: Someone's pokin' at ya! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange traffic? Vjay LaRosa (Sep 26)
- Re: Strange traffic? Erek Adams (Sep 26)
- [off topic] poor firewall (was Re: Strange traffic?) Bruno Gimenes Pereti (Sep 26)
- RE: [off topic] poor firewall (was Re: Strange traffic?) Jyri Hovila (Sep 26)
- Re: [off topic] poor firewall (was Re: Strange traffic?) Skip Carter (Sep 26)
- [off topic] poor firewall (was Re: Strange traffic?) Bruno Gimenes Pereti (Sep 26)
- <Possible follow-ups>
- RE: Strange traffic? Thomas Whipp (Sep 26)
- Re: Strange traffic? Erek Adams (Sep 26)