Snort mailing list archives
MISC source port 53 to <1024 question
From: Rich Adamson <radamson () routers com>
Date: Sun, 7 Oct 2001 19:30:37 -0600
Wonder if someone can help explain the following rule. I seem to be getting a lot of what appears to be valid DNS lookups to our primary DNS server with both a "source and destination port of 53" (as observed with a Sniffer). (Snort v1.8.1) alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:2;) The typical alert looks like: [**] MISC source port 53 to <1024 [**] 10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53 UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF Len: 37 Disabling the above rule stops the alerts, but I'm not sure if that is the right thing to do. The DNS server responds correctly to each of these requests. Thoughts??? Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Message not available
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)