Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscan preprocessor catching DNS replies

From: root <nantel () ecopiabio com>
Date: Thu, 16 Aug 2001 09:52:33 -0400
Hi there,

Thanks to Mr. Persson for the fix. I have no experience with BPF per se
and have not taken the time to translate the following to BPF, but
perhaps a better rule would be to ignore traffic that is UDP source port
53 destination port >1024? This would effectively rule out any response
to DNS traffic. I am not too concerned with the services running on UDP
port greater than 1024, and I don't think any reasonably setuped
Internet-visible server should be too concerned with it, especially
behind a good firewall ruleset. They'll try exploiting your wide-open
ports before doing some serious packet crafting in an attempt to bypass
you fw rules. Humans are lazy. 

-Mathieu

Jörgen Persson wrote:


On Thu, Aug 16, 2001 at 12:29:06AM +0200, Jörgen Persson wrote:
[snip]

As Andreas pointed out on the list, that filter I mentioned filters
out everything from udp source port 53.


I'm trying a more narrow bpf rule at the moment.

dst host $MY_IP and \
        (not udp src port 53 or \
        udp dst port $UDP_SERVICE_A or \
        udp dst port $UDP_SERVICE_B or \
        .
        .
        .
        udp dst port $UDP_SERVICE_N)

The idea is to exclude traffic from udp port 53 to udp ports on my host
without services. I don't know if it works or not but it might help you.

By the way, you have to write the rule on one line without the
backslashes. Change the variables to something more appropiate.

Jörgen


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: