Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort dns spoof alerts

From: chatiman <chatiman () free fr>
Date: Thu, 11 Nov 2004 06:39:25 +0100

Hello,

I noticed some DNS SPOOF attacks in my logs.

The source ip is set to one of the dns server of
my provider.

According to snort.org, there's no false positive
known to this rule.

So I tried to find out which request was spoofed
from the tcpdump logs:
- I extracted dns requests created the same day of the
attack.

What I found is a dozen of lines like:
<time> IP <isp-dns> > <myip>:60412:  2236 1/0/0 A <myip> (48)

This seems to be a dangerous kind of attacks to me (eg spoof
ip of ecommerce site, mail servers ...)

Can I do something to protect against that ?
Do I need to report it to my isp ?


Thanks




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: