RE: DNS 53 <-> 53 ?

[Graeme Fowler <graeme.fowler () hosteurope com>]

Howdy

<message edited>
> I've had a second look over the tcpdump log. Have a look at this:
> 14:21:22.145075 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 
> 14:54:26.078810 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 79: 
> 15:17:42.677608 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 83: 
>
> Three times the same hardware address (source), but each with 
> a different IP address.
>
> I think this looks indeed like spoofing... or is there any 
> valid reason for somethin like this?

Let me guess... your Snort box is effectively *outside* your
router/firewall, right?

Network <-> router/firewall <-> snort <-> world

Snort is seeing the HW address of your router/firewall. It cannot see the
hardware address of the external source machine as this gets removed from
(or changed in) the MAC header by successive routers. a MAC address has no
relevance outside of the local LAN, so each time the packet traverses a
router the MAC address it carries is that of the last hop (router or end
node).

The 0:0:0:0:0:1 address is the last hop telling the next hop "I don't know
this, it's not relevant anyway, but fill it in if you know it and can hand
off the packet directly to it" - otherwise known as the 'Me' address.
Unknown addresses are 0:0:0:0:0:0, just look in a DHCP packet for example.

HTH

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users