Snort mailing list archives
Re: DNS 53 <-> 53 ?
From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Tue, 17 Jul 2001 12:39:40 -0400
On Tue, Jul 17, 2001 at 05:16:23PM +0100, Graeme Fowler wrote:
Howdy <message edited>I've had a second look over the tcpdump log. Have a look at this: 14:21:22.145075 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 14:54:26.078810 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 79: 15:17:42.677608 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 83: Three times the same hardware address (source), but each with a different IP address. I think this looks indeed like spoofing... or is there any valid reason for somethin like this?Let me guess... your Snort box is effectively *outside* your router/firewall, right? Network <-> router/firewall <-> snort <-> world Snort is seeing the HW address of your router/firewall. It cannot see the hardware address of the external source machine as this gets removed from (or changed in) the MAC header by successive routers. a MAC address has no relevance outside of the local LAN, so each time the packet traverses a router the MAC address it carries is that of the last hop (router or end node). The 0:0:0:0:0:1 address is the last hop telling the next hop "I don't know this, it's not relevant anyway, but fill it in if you know it and can hand
Nice theory. I didn't know that a layer three device would pass the packet not knowing the MAC of the next-hop and asking the next-hop to fill it in for him. What is, then, the ARP for? Ramin
off the packet directly to it" - otherwise known as the 'Me' address. Unknown addresses are 0:0:0:0:0:0, just look in a DHCP packet for example. HTH Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RES: DNS 53 <-> 53 ? Marcus Rocha (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Blake Frantz (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- <Possible follow-ups>
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Graeme Fowler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)