Re: Scanning from source port 53

[Dave Monnier <dmonnier () IU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lois Lehman wrote:
> Has anyone else seen this trick recently for getting through your
> routers?  The source port being used  for the scanning is port 53 as it
> is looked upon as normal traffic.
>
> Is there any legitimate application that would send out syn packets from
> port 53?  Do I need to modify our snort rules?

It's a common tactic. You've hit the nail on the head as to it's
purpose.  80 is another favorite.

As for your snort rules, it depends on what value the data is to you
from the detect.  Can/Do you modify your network policy to reject/drop
"bad" IPs dynamically ?  If not, you can probably dump the rule.  Can/Do
you analyze flow-data looking for activity from/to "bad" IPs based on
detects?  If not, you can probably dump the rule.  If there's nothing in
your strategy that can benefit from the data, I would recommend getting
rid of or changing the rule.  Regular detects that get no attention will
only clutter the detects that do warrant attention.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBQQbPBIf6jlONJjIRArtsAKCkou8XYkXPjVH65IVix+bdV/xUDACfQl81
rfg+8yXRWTekLCLcXKCUotY=
=bbII
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.