Snort mailing list archives
Re: Arghh...how do I stop it doing this!!
From: Brian Caswell <bmc () mitre org>
Date: Thu, 03 May 2001 12:27:53 -0400
Dave Fitches wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= [**] MISC source port 53 to <1023 [**] 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53 UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF [**] MISC source port 53 to <1023 [**] 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53 UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF [...etc...] Damn thing seems to read every DNS query _I_ do as a bloody alert notable event!! ARRGHH!!!
Don't use any for $HOME_NET and $EXTERNAL_NET I would simply comment out that rule. Adding a "pass" rule could lead to bad things being ignored. Its trivial to change the src port for exploits. -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Arghh...how do I stop it doing this!! Dave Fitches (May 03)
- RE: Arghh...how do I stop it doing this!! Ed Greshko (May 03)
- RE: Arghh...how do I stop it doing this!! Dave Fitches (May 03)
- Re: Arghh...how do I stop it doing this!! Brian Caswell (May 03)
- <Possible follow-ups>
- RE: Arghh...how do I stop it doing this!! Neil Dickey (May 03)
- RE: Arghh...how do I stop it doing this!! Robert D. Hughes (May 07)
- RE: Arghh...how do I stop it doing this!! Ed Greshko (May 03)