Snort mailing list archives
RE: MISC source port 53 to <1024 question
From: Michael Ritzert <michael.ritzert () realtech de>
Date: Tue, 9 Oct 2001 12:56:43 +0200
Hi all, sorry for breaking the thread, but I only just subscribed to the list and don't have the original message available. I'm running a public DNS server and also very often (i.e. every 1 to 2 minutes) see that very log entry. Because this is to be the first rule I'll write, I'd prefer to verify it with you before I enable it. I would go for alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:2;) alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:2;) Instead of the single 53 -> $HOME_NET :1023 entry. Is this correct? Thanks, Michael ========================== FROM: Madhav Diwan DATE: 10/07/2001 20:10:36 SUBJECT: RE: [Snort-users] MISC source port 53 to <1024 question Your problem is not really a major problem. You can fix it easily by changing the alert statement to reflect which port you are accetping dns responses into ... rather than $HOME_NET :1023 .. since you are accepting dns reponses on port 53 make sure that port 53 is outside the range of the alert . [...] Rich Adamson wrote:
Wonder if someone can help explain the following rule. I seem to be getting a lot of what appears to be valid DNS lookups to our primary DNS server with both a "source and destination port of 53" (as observed with a Sniffer). (Snort v1.8.1) alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port
53 to <1024"; classtype:bad-unknown;
sid:515; rev:2;) The typical alert looks like: [**] MISC source port 53 to <1024 [**] 10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53 UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF Len: 37
[...] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Message not available
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)