Snort mailing list archives
Re: DNS traffic or portscan?
From: spyguy703 <spyguy703 () yahoo com>
Date: Tue, 26 Feb 2002 11:28:54 -0800
On Tuesday 26 February 2002 11:28 am, McCammon, Keith wrote: Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP There's the data. I am aware that what I am providing is limited. But that is all I have. DNS Server is outside FW on some other network. SNORT is NOT running on same net. Sorry if I confused.
Can you please post the data? Given this information, there isn't much advice to be offered. And I don't even want to know why your snort management interface is on the same network as your public name server...
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- <Possible follow-ups>
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)