Snort mailing list archives
Unknown alert
From: Joe Hill <joehill () sympatico ca>
Date: Thu, 3 Apr 2003 19:28:48 -0500
I get this over and over in my alert log window: [**] [1:254:2] DNS SPOOF query response with ttl: 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] 04/03-18:31:27.612252 0:90:27:90:30:2E -> 0:90:27:90:32:6F type:0x800 len:0x5D 192.168.0.1:53 -> 192.168.0.10:32795 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:79 DF Len: 59 The Snort definitions: http://www.snort.org/snort-db/sid.html?id=254 show no info. Anyone have any offhand info on this? Some info to provide context: I am running snort on my workstation (work??!!...riiiiiiiight), and my workstation is connected to a hub along with my wife's XP (shudder) box. The hub is then connected to my BBIAgent firewall (one o' those floppy distros) which provides firewall, NAT and port forwarding, and finally my DSL modem ("the leg bone's connected to the...red thing..." -Dr. Nick Riviera). Am I just seeing traffic between the router and my wkstn? Is running snort on an internal network with this type of setup even going to see anything from the outside internet? is this something like I am looking for to exclude known or innocuous alerts? # DNS_SERVERS holds the addresses of "noisy" computers like DNS or NWM # to be ignored from portscans var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32] reading the docs as we speak... ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unknown alert Joe Hill (Apr 03)