Snort mailing list archives
snort dns spoof alerts
From: chatiman <chatiman () free fr>
Date: Thu, 11 Nov 2004 06:39:25 +0100
Hello, I noticed some DNS SPOOF attacks in my logs. The source ip is set to one of the dns server of my provider. According to snort.org, there's no false positive known to this rule. So I tried to find out which request was spoofed from the tcpdump logs: - I extracted dns requests created the same day of the attack. What I found is a dozen of lines like: <time> IP <isp-dns> > <myip>:60412: 2236 1/0/0 A <myip> (48) This seems to be a dangerous kind of attacks to me (eg spoof ip of ecommerce site, mail servers ...) Can I do something to protect against that ? Do I need to report it to my isp ? Thanks ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort dns spoof alerts chatiman (Nov 10)