Snort mailing list archives
Re: UDP Alerts
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 14 Jan 2002 13:11:35 -0500
I have not seen IM's or streaming media sources trigger this signature yet, but I've seen some old, strange and/or misconfigured DNS servers do this. It seems at one point in history (long, long, ago) DNS servers used port 0 in addition to port 53.. I'll definitely keep an eye out for this newer source of triggering..
For those who want more details about the packets I saw they were (some_outside_dns):53 -> (my_local_dns):0 UDP with a body containing a valid DNS query response.
At 08:34 AM 1/13/2002 -0500, you wrote:
I suspected there was a differing definition for "authentication" being used during the discussion! On an unrelated note, is anyone (everyone) seeing streaming media sources (Akamai, RealMedia, AOL and others) trigger the "BAD-TRAFFIC udp port 0" alert? I have to disable that alert manually on each update as a result. Is there ever a case where one must watch this traffic for surreptitious activity? Frank -----Original Message----- From: Saad Kadhi [mailto:bsdguy () docisland org] Sent: Sunday, January 13, 2002 8:18 AM To: Frank Reid Cc: Snort Users; kamesh_rajaram () sify com Subject: RE: [Snort-users] Patch for ACID....!! On Sun, 2002-01-13 at 14:01, Frank Reid wrote: > It could be a useful feature to have both an "anonymous" and "administrator" > (authenticated) mode on ACID. The anonymous user would be allowed to > search/display alerts, graph data, etc., but not delete, archive, etc. In > fact, it would be great to support granular accounts in both ACID and > Demarc, probably associated with specified database criteria such as the > alert type, address space, etc. So, if "User X" is associated with address > 1.2.3.0/24 and has non-administrative permissions (no delete), "User X" is > only able to query within those bounds after authenticating. "User Y" is a > website administrator, so he only has non-administrative permissions for > 1.2.3.4/32 and only for alerts WEB-IIS, WEB-MISC, etc. Now I got the picture. I thought it was just a need to authenticate access to the acid subdir. My sincere apologies to kamesh for such a misunderstanding. Regards. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Patch for ACID....!! kamesh_rajaram (Jan 12)
- Re: Patch for ACID....!! Saad Kadhi (Jan 12)
- RE: Patch for ACID....!! Frank Reid (Jan 13)
- RE: Patch for ACID....!! Saad Kadhi (Jan 13)
- UDP Alerts Frank Reid (Jan 13)
- Re: UDP Alerts Matt Kettler (Jan 14)
- RE: Patch for ACID....!! Frank Reid (Jan 13)
- Re: Patch for ACID....!! Saad Kadhi (Jan 12)