Snort report questions
See the following message emitted by snort. The 207.* and 206.*
addresses below are my ISP nameservers. The 192.* address is my wife's
Windows machine on the network. I received the message at my machine.
All machines are behind the firewall. Two things are peculiar. First,
the destination IP is local, which is unroutable on the internet. Is
this a case of the firewall rewriting the IP because of masquerading?
Second, the source port is 53 (nameserver), but the destination port is
137 (netbios name service). Why does standard nameserver traffic report
back to port 137? Maybe a better question is, on a standard nameserver
line (non-Windows), to what port is nameserver answer traffic sent?
And should I assume that this is a response to a nameserver request from
my wife's machine?
Paul
----- Forwarded message from root <root@quillandmouse.com> -----
To: root@rocky.mars.lan
Subject: rocky 09/03/01:16.02 system check
Message-Id: <20010903200203.70E393FB51@quillandmouse.com>
Date: Mon, 3 Sep 2001 16:02:03 -0400 (EDT)
From: root@quillandmouse.com (root)
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 3 15:29:38 rocky snort: Source Port traffic: 207.155.184.72:53 ->
192.168.10.2:137
Sep 3 15:29:46 rocky snort: Source Port traffic: 207.155.184.72:53 ->
192.168.10.2:137
Sep 3 15:29:51 rocky snort: Source Port traffic: 206.173.119.72:53 ->
192.168.10.2:137
Sep 3 15:36:39 rocky snort: Source Port traffic: 206.173.119.72:53 ->
192.168.10.2:137
Sep 3 15:37:26 rocky snort: Source Port traffic: 206.173.119.72:53 ->
192.168.10.2:137
----- End forwarded message -----
Reply to: