On Mon, 18 Jun 2001, Mike Batchelor wrote: > Nothing is up with I.gtld-servers.net. Just because it shows up in a snort > log, or on ARIS, doesn't mean it's a probe, and doesn't even mean it's > suspicious. Check out the other GTLD or root servers. I bet most of them > have just as many "reports" on ARIS. We get lots of DNS related false positives relating to DNS in ARIS, mostly due to IDS admins not properly excluding their own DNS servers from the "DNS source porting attack". However, that's not what is going on here. > > The most likely explanation is that Snort "lost state" on your outgoing DNS > queries, because I.gtld-servers.net is taking too long to answer. I don't think DNS is one of the items Snort keeps state on. > So it > flagged the "unknown" UDP replies as "misc traceroute" traffic. You need to > read IDS logs with a jaundiced eye, or you'll go crazy chasing down false > positives. The key detail in the logs he sent was the TTL=1, which won't happen under normal circumstances.. that's what is causing the traceroute rule to go off. About the only ways I can think of for those to happen "naturally" is if they have the default TTL really low on that host for some strange reason (which would tend to break communications with it for a lot of hosts) or if there is a loop on the net that is flapping really fast (fast enough that TTL=small number packets end up getting out). Ryan
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:29:29 PDT