Intrusion Detection Systems mailing list archives

Re: reading signatures?

From: tschroed () acm org (Trevor Schroeder)
Date: Fri, 22 Oct 1999 15:48:23 -0500 (CDT)



On Fri, 22 Oct 1999 matthew.fearnow () mcp com wrote:

Can anyone give me some insight into what this means?

14:17:51.220753 myhost.here.com.9999 > othersite.there.com.53: 1205+ (45) 
14:17:51.718414 myhost.here.com.9999 > othersite.there.com.53: 1205+ (45)
14:42:49.550408 myhost.here.com.9999 > anothersite.there.com.53: 1194+ (45)


That would be myhost.here.com doing DNS lookups, most likely (assuming you
don't have reason to suspect otherwise).

domain          53/tcp          nameserver      # name-domain server
domain          53/udp          nameserver
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................:

Current thread:

reading signatures? matthew.fearnow () mcp com (Oct 22)
- Re: reading signatures? Trevor Schroeder (Oct 22)
- Problem in snort 1.3 Fabio Pietrosanti (Oct 24)
  - Re: Problem in snort 1.3 H D Moore (Oct 24)
  - Re: Problem in snort 1.3 Lance Spitzner (Oct 24)
    - Re: Problem in snort 1.3 Ron Gula (Oct 25)
  - Re: Problem in snort 1.3 Martin Roesch (Oct 25)
  - Traffic Lister, Justin (Oct 25)
  - Comparison of several IDS Lister, Justin (Oct 25)
- Re: reading signatures? H D Moore (Oct 24)
- <Possible follow-ups>
- RE: reading signatures? matthew.fearnow () mcp com (Oct 22)
  - RE: reading signatures? Kim Robert Blix (Oct 25)

(Thread continues...)