Snort mailing list archives
Re: DNS traffic or portscan?
From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Tue, 26 Feb 2002 13:43:57 -0600 (CST)
On Tue, 26 Feb 2002, spyguy703 wrote:
I will try that. Some individuals have told me that snort is only seeing one side of regular DNS traffic and thus is showing up as a portscan.
It shows up as a portscan because of the metrics applied by the portscan preprocessor. By explicitly logging it with a "log" or "alert" rule, you'll get the traffic in the snort-xxxx@yyyy files as well (assuming you're doing binary logging). E.G. log udp any any <> dns.mydomain.com 53 . Be aware - this may generate a *lot* of traffic.
possible? if so, what did i do wrong with snort?
Yes, it's possible, but the fact that it's in portscan.log and not snort-xxxx@yyyy is not a sure indication. If you add a rule, even briefly, as above, it should either show you both sides of the conversation, or prove that your sensor can only see one side. If you still only see one side, then it's probably not a Snort problem per se, but a problem with the configuration of your listening port - it's only listening to traffic in one direction. -g
On Tuesday 26 February 2002 11:24 am, Glenn Forbes Fleming Larratt wrote:It's not a sure thing, but, examining from stimulus-response perspective, it's mighty convenient that the source port numbers increment more or less sequentially - across, supposedly, two different source hosts. It's a reasonable possibility someone spoofed the addresses of win32host, snorthost, or both. Configuring Snort to log traffic to dns1.mydomain.com might help determine (a) source MAC addresses, to confirm or deny the spoofing theory, (b) contents of the DNS requests stimulating this response (DDNS? Cache poisoning? version.bind queries? etc.). -g On Tue, 26 Feb 2002, spyguy703 wrote:Can someone please help me figure out what to make of this traffic that I pulled from portscan.log? I had DNS admins checkout the DNS server and they are certain that it has not been compromised and that no one is scanning me. "dns1.mydomain.com" is our DNS server on the internet "win32host" is a windows host on the DMZ network (publicly routable IP) "snorthost" is the management interface on the snort host that monitors this network. Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDPGlenn Forbes Fleming Larratt Rice University Network Management glratt () rice edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Glenn Forbes Fleming Larratt Rice University Network Management glratt () rice edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- <Possible follow-ups>
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)