Snort mailing list archives

MISC source port 53 to <1024 question

From: Rich Adamson <radamson () routers com>
Date: Sun, 7 Oct 2001 19:30:37 -0600

Wonder if someone can help explain the following rule. I seem to be
getting a lot of what appears to be valid DNS lookups to our primary
DNS server with both a "source and destination port of 53" (as observed
with a Sniffer). (Snort v1.8.1)

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; 
sid:515; rev:2;)

The typical alert looks like:

[**] MISC source port 53 to <1024 [**]
10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
Len: 37

Disabling the above rule stops the alerts, but I'm not sure if that is
the right thing to do. The DNS server responds correctly to each of these
requests.

Thoughts???

Rich


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
  - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
    - Message not available
    - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)