hi,
actually I faced something like this but actually it was not a UDP packet ,
snort detected it was a portscan from the DNS ...any one can advice?
regards.
----- Original Message -----
From: "Milan Goellner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 20, 2001 10:57 AM
Subject: Antw: snort portscan detects a scan from my primary DNS usingsource
prot53?
> >>> somogyi lorand <[EMAIL PROTECTED]> 19.09.01 15:03:58 >>>
> >Hi,
> >I'm wondering if this is normal behaviour.
> >My primary DNS is on x.x.x.x, and my ip is
> >y.y.y.y. Snort portscan.log extr.:
> >
> >------------------------------------------------
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32783 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32784 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32785 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32786 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32787 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32788 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32789 UDP
> >Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32790 UDP
> >and so on...
> >------------------------------------------------
> >
> >So, if I'm rigth someone scans my machine from the
> >primary DNS machine, using port 53 as their source
> >port. Or is this a normal DNS behavior?
> >
> >Greatings,
> >L.
>
> looks like normal DNS replies to me
>
>
> Mit freundlichen Gr��en / Kind Regards
>
> Milan Goellner
> Network Technician
>
> ----------------------------------------------------------------
> Compu-Shack Electronic GmbH
> Ringstrasse 56-58
> 56564 Neuwied
> Germany
>
> Telefon +49/(0) 26 31-9 83-962
> Email [EMAIL PROTECTED]
> http://www.compu-shack.com
>
>
