Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: my logs is flooding with snort w/ some weird message about port 53

From: "alexus" <ml () db nexgen com>
Date: Tue, 4 Sep 2001 16:13:00 -0400
hm okay i did that

same thing...

coment out doesn't make sense.. you gotta specify to use port >1023

----- Original Message -----
From: "Ramin Alidousti" <ramin () cannon eng us uu net>
To: "alexus" <ml () db nexgen com>
Cc: "Ramin Alidousti" <ramin () cannon eng us uu net>;
<snort-users () lists sourceforge net>
Sent: Tuesday, September 04, 2001 4:09 PM
Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird
message about port 53



No, the opposite. Comment it out:

options {
...
// query-source address * port 53;
...
};

and restart your named:

ndc restart

Ramin

On Tue, Sep 04, 2001 at 04:04:27PM -0400, alexus wrote:


i added

query-source address * port 53;

in options in named.conf

those messages didn't disapperad:(

----- Original Message -----
From: "Ramin Alidousti" <ramin () cannon eng us uu net>
To: "alexus" <ml () db nexgen com>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, September 04, 2001 3:30 PM
Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird
message about port 53



I think that your dns server (named) has been told to send
out queries with port (53). These are the responses coming
back. Take a look at "/etc/named.conf" and see if you have
such an entry:

options {
...
query-source address * port 53;
...
};

If you comment this out then the queries sent out by your
server will be from the unprivileged ports (>1023) and sort
will not complain. Otherwise, take a look at:

misc.rules:

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port

53 to

<1024"; classtype:bad-unknown; sid:515; rev:2;)


Hope it helps,
Ramin



On Tue, Sep 04, 2001 at 02:47:19PM -0400, alexus wrote:


hello

for some reason i get a lot of traffic on my port 53, even though my
nameserver is closed for public, can someone explain me what does

that

mean?


Sep  4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to

<1024

[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
24.69.255.195:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to

<1024

[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
194.67.2.114:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to

<1024

[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
207.236.57.98:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to

<1024

[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
207.236.57.98:53 -> 66.92.98.145:53

just for example right now it's 2:45pm and since morning i already

got


su-2.05# grep -c "MISC source port 53" /var/log/all.log
9222
su-2.05#

of those entryes in my log

please help

if this a legit traffic which rule i can comment out so it wont show

in

my

logs? and if this traffic is legit why is it shows as "potentially

bad

traffic"?

thanks in advance



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: