Snort mailing list archives
Re: MISC source port 53 to <1024 question
From: "Bruno Gimenes Pereti" <pereti () ump edu br>
Date: Tue, 9 Oct 2001 11:05:23 -0300
Rich, you replied only for me, I'm forwarding my response to the list. And you are right, I forgot the ports above 1023... Bruno. ----- Original Message ----- From: "Rich Adamson" <radamson () routers com> To: "Bruno Gimenes Pereti" <pereti () ump edu br> Sent: Tuesday, October 09, 2001 11:18 AM Subject: Re: [Snort-users] MISC source port 53 to <1024 question
The rule below would appear to generate an alert on every "correct"
response
received from external dns servers (eg, root servers, authoritative
servers),
and basically defines normal responses. The original rule (from the snort.org downloads) was intended to generate
an
alert when the external source used a "source port" of 53 and a
destination
port below 1023. However, "some" internet devices actually use port 53 for both the source and destination port (causing a false positive alert). Assuming one would like to be alerted when the source is 53 and the
destination
port is anything below 1023 except for 53, then it would seem the only reasonable logic is to use the original rule along with a "pass" rule
(allowing
53 to 53) and the -o startup option (testing order pass|alert|log|...). Anyone have any thoughts on that?I'd never made a rule but I think it could be only one: alert udp $EXTERNAL_NET 53 -> $HOME_NET !53 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:2;) Please, correct me if I'm wrong. Bruno.Hi all, sorry for breaking the thread, but I only just subscribed to the list
and
don't have the original message available. I'm running a public DNS server and also very often (i.e. every 1 to 2 minutes) see that very log entry. Because this is to be the first rule I'll write, I'd prefer to verify
it
withyou before I enable it. I would go for alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53
to
<1024"; classtype:bad-unknown; sid:515; rev:2;) alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port
53
to<1024"; classtype:bad-unknown; sid:515; rev:2;) Instead of the single 53 -> $HOME_NET :1023 entry. Is this correct? Thanks, Michael
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Message not available
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)