![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Portscan preprocessor catching DNS replies
From: root <nantel () ecopiabio com>
Date: Thu, 16 Aug 2001 09:52:33 -0400
Hi there, Thanks to Mr. Persson for the fix. I have no experience with BPF per se and have not taken the time to translate the following to BPF, but perhaps a better rule would be to ignore traffic that is UDP source port 53 destination port >1024? This would effectively rule out any response to DNS traffic. I am not too concerned with the services running on UDP port greater than 1024, and I don't think any reasonably setuped Internet-visible server should be too concerned with it, especially behind a good firewall ruleset. They'll try exploiting your wide-open ports before doing some serious packet crafting in an attempt to bypass you fw rules. Humans are lazy. -Mathieu Jörgen Persson wrote:
On Thu, Aug 16, 2001 at 12:29:06AM +0200, Jörgen Persson wrote: [snip]As Andreas pointed out on the list, that filter I mentioned filters out everything from udp source port 53.I'm trying a more narrow bpf rule at the moment. dst host $MY_IP and \ (not udp src port 53 or \ udp dst port $UDP_SERVICE_A or \ udp dst port $UDP_SERVICE_B or \ . . . udp dst port $UDP_SERVICE_N) The idea is to exclude traffic from udp port 53 to udp ports on my host without services. I don't know if it works or not but it might help you. By the way, you have to write the rule on one line without the backslashes. Change the variables to something more appropiate. Jörgen
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: Portscan preprocessor catching DNS replies root (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)