Educause Security Discussion mailing list archives
Re: Scanning from source port 53
From: Dave Monnier <dmonnier () IU EDU>
Date: Thu, 9 Sep 2004 20:43:43 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lois Lehman wrote:
Has anyone else seen this trick recently for getting through your routers? The source port being used for the scanning is port 53 as it is looked upon as normal traffic. Is there any legitimate application that would send out syn packets from port 53? Do I need to modify our snort rules?
It's a common tactic. You've hit the nail on the head as to it's purpose. 80 is another favorite. As for your snort rules, it depends on what value the data is to you from the detect. Can/Do you modify your network policy to reject/drop "bad" IPs dynamically ? If not, you can probably dump the rule. Can/Do you analyze flow-data looking for activity from/to "bad" IPs based on detects? If not, you can probably dump the rule. If there's nothing in your strategy that can benefit from the data, I would recommend getting rid of or changing the rule. Regular detects that get no attention will only clutter the detects that do warrant attention. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBQQbPBIf6jlONJjIRArtsAKCkou8XYkXPjVH65IVix+bdV/xUDACfQl81 rfg+8yXRWTekLCLcXKCUotY= =bbII -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Scanning from source port 53 Lois Lehman (Sep 09)
- <Possible follow-ups>
- Re: Scanning from source port 53 Dave Monnier (Sep 09)