Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort-users digest, Vol 1 #1701 - 14 msgs

From: "Michael B. Easter" <mb.easter () comcast net>
Date: Tue, 19 Mar 2002 08:57:33 -0500
What you are seeing IS DNS traffic.  BIND DNS uses UDP and TCP port 53 on
the server, and a dynamic UDP port on the client to handle
requests/responses.  In the event port 53 is not available on  either
machine, it will search for a dynamic port to use instead.  I'd recommend
writing a rule to accept/ignore traffic both to and from port 53 (local and
remote).  It is possible to have a situation where dynamic ports are used on
both ends, but I haven't seen it actually happen myself, it usually uses 53
on one end or the other.

Mike E.



Message: 4
Date: Tue, 19 Mar 2002 10:57:37 +0530
From: Dushyanth Harinath <dushy () symonds net>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] DNS portscan alerts
Reply-To: Dushyanth Harinath <dushy () symonds net>
Organization: Never Mind!!

* Leigh David Heyman <leigh () ai mit edu> [020319 04:15]:




Oh, Sorry , my mistake , but the alerts are from many nameservers, not
from a particular one and listing them all is not possible.



True, but are the scans TO several systems or just one or a few... while
clearly you can't ignore all the external nameservers which are "scanning"
you, can you possibly exclude your "internal" systems which are being
"scanned" from the group of systems which spp_portscan is watching aver,

or

would that simply mean your entire network, and thus disabling

spp_portscan

altogether?


No , I cant do that because its my public interface.

Lete me explain you better.

                             --------
                             |Router|
                             --------
                               |
                               | eth0 (xxx.xxx.xxx.xxx) public IP
                            ----------
                            | server |
                            |        |
                             ---------
                               | eth1 (192.168.0.1) Local Lan IP
                               | Snort and dnscache
                  ---------------------------
                  |     |    |    |     |   |

                    client machines on lan


Whenever the dnscache running on (192.168.0.1)  queries an external dns
it results in a portscan alert with source from the external dns with dest
as my public interface on the server.

Some of the logs again.

Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP


So, i cant ignore the portscan traffic to the public interface.

Hope i have explained clearly now :)
cheers
dushyanth
--
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: