Snort mailing list archives

Re: DNS traffic or portscan?

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Tue, 26 Feb 2002 13:43:57 -0600 (CST)

On Tue, 26 Feb 2002, spyguy703 wrote:

I will try that. Some individuals have told me that snort is only seeing one
side of regular DNS traffic and thus is showing up as a portscan.


        It shows up as a portscan because of the metrics applied by the
        portscan preprocessor. By explicitly logging it with a "log" or
        "alert" rule, you'll get the traffic in the snort-xxxx@yyyy files
        as well (assuming you're doing binary logging). E.G.

log udp any any <> dns.mydomain.com 53

        . Be aware - this may generate a *lot* of traffic.

possible? if so, what did i do wrong with snort?


        Yes, it's possible, but the fact that it's in portscan.log and not
        snort-xxxx@yyyy is not a sure indication. If you add a rule, even
        briefly, as above, it should either show you both sides of the
        conversation, or prove that your sensor can only see one side.

        If you still only see one side, then it's probably not a Snort
        problem per se, but a problem with the configuration of your
        listening port - it's only listening to traffic in one direction.

                -g

On Tuesday 26 February 2002 11:24 am, Glenn Forbes Fleming Larratt wrote:

It's not a sure thing, but, examining from stimulus-response perspective,
it's mighty convenient that the source port numbers increment more or less
sequentially - across, supposedly, two different source hosts. It's a
reasonable possibility someone spoofed the addresses of win32host,
snorthost, or both.

Configuring Snort to log traffic to dns1.mydomain.com might help determine
(a) source MAC addresses, to confirm or deny the spoofing theory,
(b) contents of the DNS requests stimulating this response (DDNS? Cache
poisoning? version.bind queries? etc.).

    -g

On Tue, 26 Feb 2002, spyguy703 wrote:

Can someone please help me figure out what to make of this traffic that I
pulled from portscan.log?

I had DNS admins checkout the DNS server and they are certain that it has
not been compromised and that no one is scanning me.

"dns1.mydomain.com" is our DNS server on the internet
"win32host" is a windows host on the DMZ network (publicly routable IP)
"snorthost" is the management interface on the snort host that monitors
this network.


Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP
Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP
Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP
Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP
Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP
Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP
Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP
Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP
Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP
Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP
Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP
Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP
Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP
Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDP


                            Glenn Forbes Fleming Larratt
                            Rice University Network Management
                            glratt () rice edu



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
  - Re: DNS traffic or portscan? spyguy703 (Feb 26)
- <Possible follow-ups>
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
  - Re: DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)