|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] DNS lookups too sensitve...or are these attacks?
From: Jim Forster (jforster
rapidnet.com)Date: Thu Mar 30 2000 - 17:49:37 CST
- Next message: Ed Padin: "RE: [snort] Snort archives question and suggestion"
- Previous message: James McLaughlin: "[snort] DNS lookups too sensitve...or are these attacks?"
- In reply to: James McLaughlin: "[snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: James McLaughlin: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: Martin Roesch: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: Kirwan Marty: "RE: [snort] Snort 1.7 projected features"
- Reply: Jim Forster: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Reply: James McLaughlin: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
These are either from the Vision ruleset, or from the 'addon' set on
RapidNet. (That's why they were removed from the dist. set) :)
Those are DNS queries, and the only reason it flagged them is that it was
hitting the port which is monitored by the ruleset. - Nothing to worry
about.
I suggest using only content-based rules for backdoor activity, otherwise
you'll need a 20gb drive to log all the falses nightly. :]
Thanks...
Jim Forster
Network Administrator
RapidNet / DakotaConnect
http://www.rapidnet.com
--------------------------------------------------------------------
Snort NIDS Info - http://snort.rapidnet.com
--------------------------------------------------------------------
>
> [**] Trojan Cow [**]
> 03/30-06:18:39.959500 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
> len:0x101
> xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:2001 UDP TTL:64 TOS:0x0 ID:50654
> Len: 223
>
> [**] Psyber Stream [**]
> 03/30-07:08:46.409686 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
> len:0xA3
> xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1170 UDP TTL:64 TOS:0x0 ID:53155
> Len: 129
>
> [**] FTP99cmp [**]
> 03/30-07:40:07.873111 0:10:5A:E6:41:95 -> 0:10:7B:C0:26:81 type:0x800
> len:0xE0
> xxx.xxx.xxx.xxx:53 -> xxx.xxx.xxx.xxx:1492 UDP TTL:64 TOS:0x0 ID:55806
> Len: 190
- Next message: Ed Padin: "RE: [snort] Snort archives question and suggestion"
- Previous message: James McLaughlin: "[snort] DNS lookups too sensitve...or are these attacks?"
- In reply to: James McLaughlin: "[snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: James McLaughlin: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: Martin Roesch: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Next in thread: Kirwan Marty: "RE: [snort] Snort 1.7 projected features"
- Reply: Jim Forster: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Reply: James McLaughlin: "Re: [snort] DNS lookups too sensitve...or are these attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]