Snort mailing list archives
RE: Snort-users digest, Vol 1 #1701 - 14 msgs
From: "Michael B. Easter" <mb.easter () comcast net>
Date: Tue, 19 Mar 2002 08:57:33 -0500
What you are seeing IS DNS traffic. BIND DNS uses UDP and TCP port 53 on the server, and a dynamic UDP port on the client to handle requests/responses. In the event port 53 is not available on either machine, it will search for a dynamic port to use instead. I'd recommend writing a rule to accept/ignore traffic both to and from port 53 (local and remote). It is possible to have a situation where dynamic ports are used on both ends, but I haven't seen it actually happen myself, it usually uses 53 on one end or the other. Mike E. Message: 4 Date: Tue, 19 Mar 2002 10:57:37 +0530 From: Dushyanth Harinath <dushy () symonds net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] DNS portscan alerts Reply-To: Dushyanth Harinath <dushy () symonds net> Organization: Never Mind!! * Leigh David Heyman <leigh () ai mit edu> [020319 04:15]:
Oh, Sorry , my mistake , but the alerts are from many nameservers, not from a particular one and listing them all is not possible.True, but are the scans TO several systems or just one or a few... while clearly you can't ignore all the external nameservers which are "scanning" you, can you possibly exclude your "internal" systems which are being "scanned" from the group of systems which spp_portscan is watching aver,
or
would that simply mean your entire network, and thus disabling
spp_portscan
altogether?
No , I cant do that because its my public interface. Lete me explain you better. -------- |Router| -------- | | eth0 (xxx.xxx.xxx.xxx) public IP ---------- | server | | | --------- | eth1 (192.168.0.1) Local Lan IP | Snort and dnscache --------------------------- | | | | | | client machines on lan Whenever the dnscache running on (192.168.0.1) queries an external dns it results in a portscan alert with source from the external dns with dest as my public interface on the server. Some of the logs again. Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP So, i cant ignore the portscan traffic to the public interface. Hope i have explained clearly now :) cheers dushyanth -- How about some patent | Dushyanth Harinath on "(a+b)2 == a2+2ab+b2" | Archean Infotech ... choose free software! | http://www.archeanit.com --some Usenet siggy | http://symonds.net/~dushy _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #1701 - 14 msgs Michael B. Easter (Mar 19)