Snort mailing list archives
Version 1.8-beta6 (Build 26)
From: Phil Wood <cpw () lanl gov>
Date: Wed, 20 Jun 2001 14:56:58 -0600
Folks, You will get inundated with MISC source port 53 to <1024 alerts unless you fix the following rules: misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1024 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;) misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;) misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:1;) Notice the :1024. That means <= (less than or equal to). Which catches all the legitimate lowport to 1024 return packets. These rules should be: misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;) misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;) misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:1;) You will still get a bunch of false positives from operating systems with broken ip stacks(or lack there of). Thanks, Phil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Version 1.8-beta6 (Build 26) Phil Wood (Jun 20)