Snort mailing list archives
RE: DNS 53 <-> 53 ?
From: "Jens Hassler" <j.hassler () gmx net>
Date: Tue, 17 Jul 2001 16:22:17 +0200
Hi John (& all others), I've had a second look over the tcpdump log. Have a look at this: ========================================= 14:21:22.145075 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain > 212.185.42.146.domain: 14421 SOA? strip-cam-world .de. (36) (DF) (ttl 246, id 31560) 14:54:26.078810 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 79: 194.25.0.125.domain > 212.185.42.146.domain: 7781 SOA? kostenlos-webcam.d e. (37) (DF) (ttl 246, id 34715) 15:17:42.677608 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 83: 192.132.210.43.domain > 212.185.42.146.domain: 34096 CNAME? www.kostenlos-webcam.de. (41) (ttl 49, id 34832) ========================================= Three times the same hardware address (source), but each with a different IP address. I think this looks indeed like spoofing... or is there any valid reason for somethin like this? Thx, Jens _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RES: DNS 53 <-> 53 ? Marcus Rocha (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Blake Frantz (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- <Possible follow-ups>
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Graeme Fowler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)