'RE: snort portscan detects a scan from my primary DNS usingsource prot53?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    RE: snort portscan detects a scan from my primary DNS usingsource prot53?
From:       <theog () yoda ! dnsq ! org>
Date:       2001-09-28 0:42:33
[Download RAW message or body]

Some one might be "hiding" behind your DNS's IP address....spoofing....

TheOg

-----Original Message-----
From: Rajaie [mailto:rajaie@palnet.com]
Sent: Friday, September 21, 2001 3:03 AM
To: Milan Goellner; security-basics@securityfocus.com
Subject: Re: snort portscan detects a scan from my primary DNS usingsource
prot53?


hi,
actually I faced something like this but actually it was not a UDP packet ,
snort detected it was a portscan from the DNS ...any one can advice?

regards.
----- Original Message -----
From: "Milan Goellner" <milan.goellner@compu-shack.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, September 20, 2001 10:57 AM
Subject: Antw: snort portscan detects a scan from my primary DNS usingsource
prot53?


> >>> somogyi lorand <somogyil@matchassist.com> 19.09.01 15:03:58 >>>
> >Hi,
> >I'm wondering if this is normal behaviour.
> >My primary DNS is on x.x.x.x, and my ip is
> >y.y.y.y. Snort portscan.log extr.:
> >
> >------------------------------------------------
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32783 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32784 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32785 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32786 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32787 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32788 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32789 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32790 UDP
> >and so on...
> >------------------------------------------------
> >
> >So, if I'm rigth someone scans my machine from the
> >primary DNS machine, using port 53 as their source
> >port. Or is this a normal DNS behavior?
> >
> >Greatings,
> >L.
>
> looks like normal DNS replies to me
>
>
> Mit freundlichen Grüßen / Kind Regards
>
> Milan Goellner
> Network Technician
>
> ----------------------------------------------------------------
> Compu-Shack Electronic GmbH
> Ringstrasse 56-58
> 56564 Neuwied
> Germany
>
> Telefon             +49/(0) 26 31-9 83-962
> Email                 milan.goellner@compu-shack.com
>                          http://www.compu-shack.com
>
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic