Snort mailing list archives

RE: MISC source port 53 to <1024 question

From: Michael Ritzert <michael.ritzert () realtech de>
Date: Tue, 9 Oct 2001 12:56:43 +0200

Hi all,

sorry for breaking the thread, but I only just subscribed to the list and 
don't have the original message available.

I'm running a public DNS server and also very often (i.e. every 1 to 2 
minutes) see that very log entry.
Because this is to be the first rule I'll write, I'd prefer to verify it with 
you before I enable it.
I would go for

alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53 to 
<1024"; classtype:bad-unknown; sid:515; rev:2;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port 53 to 
<1024"; classtype:bad-unknown; sid:515; rev:2;)

Instead of the single 53 -> $HOME_NET :1023 entry.
Is this correct?

Thanks,
Michael


==========================
FROM: Madhav Diwan
DATE: 10/07/2001 20:10:36
SUBJECT: RE:  [Snort-users] MISC source port 53 to <1024 question

 Your problem is not really a major problem. You can fix it easily by changing
the alert statement to
reflect which port you are accetping dns responses into ... rather than
 $HOME_NET :1023  .. since you are
accepting dns reponses on port 53  make sure that port 53 is outside the
range of the alert .
[...]

Rich Adamson wrote:

Wonder if someone can help explain the following rule. I seem to be
getting a lot of what appears to be valid DNS lookups to our primary
DNS server with both a "source and destination port of 53" (as observed
with a Sniffer). (Snort v1.8.1)

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port

53 to <1024"; classtype:bad-unknown;

sid:515; rev:2;)

The typical alert looks like:

[**] MISC source port 53 to <1024 [**]
10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
Len: 37

[...]

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
  - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
    - Message not available
    - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)