on Wed, Sep 05, 2001 at 07:14:52PM -0400, Paul M Foster (paulf@quillandmouse.com) wrote: > See the following message emitted by snort. The 207.* and 206.* > addresses below are my ISP nameservers. The 192.* address is my wife's > Windows machine on the network. I received the message at my machine. > All machines are behind the firewall. Two things are peculiar. First, > the destination IP is local, which is unroutable on the internet. Not after it's passed through your NAT server it isn't. > Is this a case of the firewall rewriting the IP because of > masquerading? Yes. You can avoid the messages by adding your nameservers to your snort.conf file. > Second, the source port is 53 (nameserver), but the destination port > is 137 (netbios name service). Why does standard nameserver traffic > report back to port 137? Maybe a better question is, on a standard > nameserver line (non-Windows), to what port is nameserver answer > traffic sent? And should I assume that this is a response to a > nameserver request from my wife's machine? This I'm not sure of, but my guess would be that NetBIOS is querying the nameserver. This is an instance in which snort is interesting in that you're discovering things happening on your network you weren't previously aware of. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html
Attachment:
pgpAZpUbWUjHh.pgp
Description: PGP signature