On Mon, 18 Jun 2001, Mike Batchelor wrote: > The most likely explanation is that Snort "lost state" on your outgoing DNS > queries, because I.gtld-servers.net is taking too long to answer. So it > flagged the "unknown" UDP replies as "misc traceroute" traffic. You need to > read IDS logs with a jaundiced eye, or you'll go crazy chasing down false > positives. Snort doesn't "keep state" therefore has no state to lose. Snort does pattern matching on a frame by frame basis (with exception to the currently rather buggy tcp (yes, TCP, not UDP) stream preprocessor). The misc traceroute alerts are coming from the TTL being 1 when the reply passes the IDS. Understanding that IDS's love to false goes without saying, but falses can usually be explained without much problem; this one definately deserves a second look. > "Valid (sort of) queries"? Being valid is like being pregnant, there is no > "sort-of". What is "looks ODD" about these packets? They look like normal > DNS replies to me. Valid I'm guessing meaning it looks like a normal DNS packet. What looks odd is that the TTL is 1. Seems strange to me that a TLD name server would be so many hops away (do any IP stacks start with TTLs lower than 64?). Even more strange is that so many others have seen similar results. Mind, I haven't even looked into this, more than catching the initial email and this response, but it sure looks wierd. > > [**] IDS03 - MISC-Traceroute UDP [**] > > 06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800 > > len:0x9A > > 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065 > > Len: 120 --Dox
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:43:28 PDT