Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 11 replies
  • Subscribers 0 subscribers
  • Views 2070 views
  • Users 0 members are here
Options
Suggested

[7.921][QUESTION][OPEN] PacketFilter drop dns from Internet ip??

x-cimo
I have close to 10000 DNS packet dropped per day, but they seem to come from my internet IP to go on the internet.... Which I don't understand..

I have rules set to allow my local network to do DNS to any network.

My cable modem is connected to ETH0

I get theses: The source is always my Internet IP, and the dest seem to be a set of about 20 that repeat over and over. I found my ISP's dns server in the set...

My internet work fine and resolve well.  And if I got on astaro inside tools, I am also able to resolve DNS there...

Anyone have an idea?

2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.5.5.241" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="14845" dstport="53" 
2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.112.36.4" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="10903" dstport="53" 
2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="128.63.2.53" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="43979" dstport="53" 
2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.36.148.17" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="51336" dstport="53" 
2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.58.128.30" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="51080" dstport="53" 
2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="193.0.14.129" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="54423" dstport="53" 
  • 0 
    Astaro Beta Report

    --------------------------------

    Version: 7.921

    Type: QUESTION

    State: CLOSED

    Reporter: x-cimo++

    Contributor: RFCat_vk, RWeiss

    MantisID: 

    Target version: 

    Fixed in version: 

    --------------------------------
  • 0
    I only had these during the update from 7.920 to 7.921. Does this occur regularly?
  • 0 in reply to kbr
    For me it occurs every restart.
    I have logged this previously in the production and beta forums.

    Which basically means my network stats are useless until midnight reset.

    Ian M

    I think it is a function of a multi processor based system where a process is loaded before it is supposed to be.
  • 0
    ah, okay, this sounds like something that Frank has been looking at earlier this week. There's a kind of race in the snort startup (in the case of a "restart"), which we track in #14026.
    I guess these are related.
  • 0 in reply to kbr
    I did update to 921 yesterday.. I will look if I get the same today
  • 0 in reply to x-cimo
    This did not repeat today...

    Yesterday the log file was 7MB!!, today 200k
  • 0
    I have close to 10000 DNS packet dropped per day, but they seem to come from my internet IP to go on the internet.... Which I don't understand..

    I have rules set to allow my local network to do DNS to any network.

    My cable modem is connected to ETH0

    I get theses: The source is always my Internet IP, and the dest seem to be a set of about 20 that repeat over and over. I found my ISP's dns server in the set...

    My internet work fine and resolve well.  And if I got on astaro inside tools, I am also able to resolve DNS there...

    Anyone have an idea? 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.5.5.241" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="14845" dstport="53" 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.112.36.4" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="10903" dstport="53" 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="128.63.2.53" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="43979" dstport="53" 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.36.148.17" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="51336" dstport="53" 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="192.58.128.30" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="51080" dstport="53" 

    2010:06:10-17:45:22 plasmashield ulogd[3761]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:15:5d:1:a:11" srcip="MY_INTERNET_IP" dstip="193.0.14.129" proto="17" length="83" tos="0x00" prec="0x00" ttl="64" srcport="54423" dstport="53" 


    It may mean nothing but has anyone noticed that these are all Root Server addresses in x-cimo's log?
  • 0
    So, my question is again: 

    Did this only appear once, during/after the up2date, or is this a occuring on a regular basis?

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?