Thanks to all who replied to my query. Actually, I'm not quite as naive as my post may have suggested. I have a *basic* understanding of DNS. The thing that threw me on this one was the rapid bursts of packets to incremental high ports. I still don't quite understand it but Mr. Brenton shed some light on the issue: "I see this from time to time. _Usually_ the culprit is the target system thinks it already received a reply or timed-out the connection. The DNS server is still trying to reply and starts hitting incremental ports (remember DNS has no flags to work with so gracefully killing a UDP connection can get messy). Usually the attempt dies after and hour or so but it depends on the platform the DNS server is using. I've seen HP systems continue to retry for months. :)" I have taken the advice that most of you provided, and excluded my DNS server from in the preprocessor directives for Snort. Now, if most IDS's have the same attribute, it occurs to me that hijacking a DNS server would be an ideal way to launch attacks against other machines in a network..... Thanks again for helping me to understand this stuff. Michael On Tuesday 29 May 2001 13:44, I wrote: > Snort grabbed the following traces last night. The source is my ISP's DNS > server. Any ideas? > > May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:30:24 PDT