Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Version 1.8-beta6 (Build 26)

From: Phil Wood <cpw () lanl gov>
Date: Wed, 20 Jun 2001 14:56:58 -0600

Folks,

You will get inundated with MISC source port 53 to <1024 alerts unless
you fix the following rules:

misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1024 (msg:"MISC Source Port 20 to <1024"; flags:S; 
reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;)
misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; flags:S; 
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;)
misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; 
sid:515; rev:1;)

Notice the :1024.  That means <= (less than or equal to).  Which catches
all the legitimate lowport to 1024 return packets.  These rules should be:

misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S; 
reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;)
misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S; 
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;)
misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; 
sid:515; rev:1;)

You will still get a bunch of false positives from operating systems with
broken ip stacks(or lack there of).

Thanks,

Phil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: