Snort mailing list archives
Re: How do I stop the following
From: Phil Wood <cpw () lanl gov>
Date: Sat, 22 Dec 2001 12:24:24 -0700
Note the port 53 to port 53. This happens alot with some operating systems which like to use a source port equal to the destination port and not the] defacto 1024 or greater. The problem is crackers like to scan networks using low source ports on the assumption that a lot of older stateless firewalls are configured to let certain critical services in. (In this case Domain Name Service, probably the MOST critical of all services). What we have done is define the systems which are allowed to make domain name quereies out of our network (those would be our internal nameservers) and allow only those systems to communicate with the outside. The multitude of client systems are configured to use our internal servers. Once you know your basic constraints defined by your security policy, you can tweek your rules sets by adding some "pass" rules (along with the -o switch) for the systems in your internal network which might have gone astray (kernel] network stack wise [cause it will be a cold day in Hell before a vendor fixes something like that])). DNS is not the only service which can generate "alerts" like you have asked about. So, bottom line, you got to do a little work to fine tune your rule set based on your security policy among other things. Just the tip of the iceberg. Got to go. On Fri, Dec 21, 2001 at 06:38:22AM -0800, Trevor and Cindy wrote:
Hi, A Snort newbie here. I was wondering what the following alert is and how do I stop it, I sure hope it is a false positive since I get thousands of them a day which really bogs down snortsnarf. The strange thing is I do not see the IP addresses that cause these things showing up on the firewall logs. [**] [1:515:2] MISC source port 53 to <1024 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 12/17-08:11:00.311810 216.115.108.33:53 -> 63.168.165.253:53 UDP TTL:53 TOS:0x0 ID:9702 IpLen:20 DgmLen:517 Len: 497 I have been looking through the mailing list, but have not seen anything that shows how to stop this. Any help would be greatly appreciated. Thanks Trevor
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do I stop the following Trevor and Cindy (Dec 21)
- Re: How do I stop the following Phil Wood (Dec 23)