[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] help with logcheck entries
- Subject: Re: [cobalt-users] help with logcheck entries
- From: "Fragga" <fragga@xxxxxxxxxxxx>
- Date: Fri Oct 11 03:25:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
well if its occuring at the same time each hour then sniff the traffic just
before by using snort like -
$ snort -vde port 53
and although you might catch some duff traffic you should see an entry in
there like this -
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/11-11:09:42.091641 0:8:20:E7:CC:0 -> 0:10:E0:3:2A:FC type:0x800 len:0x49
**.**.**.**:32971 -> ***.***.***.***:53 UDP TTL:110 TOS:0x0 ID:57910
IpLen:20 DgmLen:59
Len: 39
01 CD 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www
05 78 74 72 61 63 03 63 6F 6D 00 00 01 00 01 .xtrac.com.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
where ** is the IP of the requester and *** is the IP of your box.
to accomplish the same thing with tcpdump use -
$ tcpdump -vvv -s 0 -X port 53
and you should see a packet like
11:17:42.973611 **.**.**.**.35207 > ***.***.***.***.domain: [udp sum ok]
466+ A? www.xtrac.com. [|domain] (ttl 110, id 58055, len 59)
0x0000 4500 003b e2c7 0000 6e11 8cb0 c3e0 25e7 E..;....n.....%.
0x0010 3f59 b419 8987 0035 0027 cac9 01d2 0100 ?Y.....5.'......
0x0020 0001 0000 0000 0000 0377 7777 0578 7472 .........www.xtr
0x0030 6163 0363 6f6d 0000 0100 01 ac.com.....
again with ** as the requester and *** as your box.
at least you can then track whos querying your DNS and it may provide you
with a lead.
this any help ?
fragga
----- Original Message -----
From: "Andy Clyde, oxfordmusic.net" <andy.clyde@xxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Friday, October 11, 2002 5:00 AM
Subject: Re: [cobalt-users] help with logcheck entries
>
>
>
> > my understanding of these errors are that they are DNS errors where
> someone
> > is using
> > your DNS to surf the web, pop mail, etc, etc and they attempt to go to a
> > site which is not up.
> > Thus Named logs that the server where xtrac.com is meant to be is down
> > lame ).
> >
> > Do you allow your users to use your box as their DNS ?
> >
>
> no.
>
> weird also that they occur very regularily - 2 or 3 minutes past every
> hour..
>
> andy
>
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>