Snort mailing list archives
RE: Strange traffic?
From: Thomas Whipp <tkw () objectronix co uk>
Date: Wed, 26 Sep 2001 16:50:45 +0100
its a common technique for bypassing non-stateful filtering routers which have to allow DNS replies in. A similar question would be "why is a client using low ports to make DNS requests?" so if possible it wouldn't hurt to check the packet body or client system to see if it could actually be DNS traffic. Tom -----Original Message----- From: Vjay LaRosa [mailto:vjayl () emc com] Sent: 26 September 2001 15:57 To: snort-users () lists sourceforge net Subject: [Snort-users] Strange traffic? Hello, Can some one help me here. I can't think of any reason that I would be seeing this traffic. 09/26-09:10:17.709508 [**] [1:0:0] TFTP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:53 -> X.X.X.X:69 Why would there be a TFTP session using the source port for DNS? Any ideas would be appreciated. Thanks! vjl -- V.Jay LaRosa EMC Corporation Systems Administrator 171 South Street (508)435-1000 ext 14957 Hopkinton, MA 01748 (508)497-8082 fax www.emc.com
Current thread:
- Strange traffic? Vjay LaRosa (Sep 26)
- Re: Strange traffic? Erek Adams (Sep 26)
- [off topic] poor firewall (was Re: Strange traffic?) Bruno Gimenes Pereti (Sep 26)
- RE: [off topic] poor firewall (was Re: Strange traffic?) Jyri Hovila (Sep 26)
- Re: [off topic] poor firewall (was Re: Strange traffic?) Skip Carter (Sep 26)
- [off topic] poor firewall (was Re: Strange traffic?) Bruno Gimenes Pereti (Sep 26)
- <Possible follow-ups>
- RE: Strange traffic? Thomas Whipp (Sep 26)
- Re: Strange traffic? Erek Adams (Sep 26)