Unknown alert

[Joe Hill <joehill () sympatico ca>]

I get this over and over in my alert log window:

[**] [1:254:2] DNS SPOOF query response with ttl: 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
04/03-18:31:27.612252 0:90:27:90:30:2E -> 0:90:27:90:32:6F type:0x800 len:0x5D
192.168.0.1:53 -> 192.168.0.10:32795 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:79 DF
Len: 59

The Snort definitions:

http://www.snort.org/snort-db/sid.html?id=254

show no info. Anyone have any offhand info on this?

Some info to provide context: I am running snort on my workstation (work??!!...riiiiiiiight), and my workstation is 
connected to a hub along with my wife's XP (shudder) box. The hub is then connected to my BBIAgent firewall (one o' 
those floppy distros) which provides firewall, NAT and port forwarding, and finally my DSL modem ("the leg bone's 
connected to the...red thing..." -Dr. Nick Riviera).

Am I just seeing traffic between the router and my wkstn? Is running snort on an internal network with this type of 
setup even going to see anything from the outside internet?

is this something like I am looking for to exclude known or innocuous alerts?

      # DNS_SERVERS holds the addresses of "noisy" computers like DNS or NWM
      # to be ignored from portscans
      var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32]

reading the docs as we speak...





-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users