On 19 Sep 2001, somogyi lorand wrote:
// Hi,
// I'm wondering if this is normal behaviour.
Yes, this is normal behavior.
If you want to avoid you must add your DNS server in snort.conf like:
var DNS_SERVERS x.x.x.x
and then you must uncomment the line
preprocessor portscan-ignorehosts: $DNS_SERVERS
// My primary DNS is on x.x.x.x, and my ip is
// y.y.y.y. Snort portscan.log extr.:
//
// ------------------------------------------------
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32783 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32784 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32785 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32786 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32787 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32788 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32789 UDP
// Sep 19 10:41:05 x.x.x.x:53 -> y.y.y.y:32790 UDP
// and so on...
// ------------------------------------------------
//
// So, if I'm rigth someone scans my machine from the
// primary DNS machine, using port 53 as their source
// port. Or is this a normal DNS behavior?
No, nobody scans your machine from the primary DNS server, it is a
normal behavior as i said before
Hope this helps
//
// Greatings,
// L.
//
--
Endless Loop: n., see Loop, Endless.
Loop, Endless: n., see Endless Loop.
-- Random Shack Data Processing Dictionary
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s:- a- C+++ UL++++ P+ L+++ E--- W- N o-- K- w
O- M-- V- PS+ PE+ Y+ PGP t 5 X++++ R* tv+ b+++ DI D++
G e+ h! r-- y+
------END GEEK CODE BLOCK------
