Snort mailing list archives

RE: Strange traffic?

From: Thomas Whipp <tkw () objectronix co uk>
Date: Wed, 26 Sep 2001 16:50:45 +0100

its a common technique for bypassing non-stateful filtering
routers which have to allow DNS replies in.
 
A similar question would be "why is a client using low ports
to make DNS requests?" so if possible it wouldn't hurt to
check the packet body or client system to see if it could
actually be DNS traffic.
 
    Tom

-----Original Message-----
From: Vjay LaRosa [mailto:vjayl () emc com]
Sent: 26 September 2001 15:57
To: snort-users () lists sourceforge net
Subject: [Snort-users] Strange traffic?


Hello, 

Can some one help me here. I can't think of any reason that
I would be seeing this traffic. 


09/26-09:10:17.709508  [**] [1:0:0] TFTP Traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} X.X.X.X:53 -> X.X.X.X:69 


Why would there be a TFTP session using the source port for
DNS? Any ideas would be appreciated. Thanks! 


vjl 

-- 

 V.Jay LaRosa                           EMC Corporation

 Systems Administrator                  171 South Street

 (508)435-1000 ext 14957                Hopkinton, MA 01748

 (508)497-8082 fax                      www.emc.com

Current thread:

Strange traffic? Vjay LaRosa (Sep 26)
- Re: Strange traffic? Erek Adams (Sep 26)
  - [off topic] poor firewall (was Re: Strange traffic?) Bruno Gimenes Pereti (Sep 26)
    - RE: [off topic] poor firewall (was Re: Strange traffic?) Jyri Hovila (Sep 26)
    - Re: [off topic] poor firewall (was Re: Strange traffic?) Skip Carter (Sep 26)
- <Possible follow-ups>
- RE: Strange traffic? Thomas Whipp (Sep 26)