Snort mailing list archives
Re: MISC source port 53 to <1024 question
From: Madhav Diwan <mdiwan () frontgatesystems com>
Date: Sun, 07 Oct 2001 23:10:36 -0400
Your problem is not really a major problem. You can fix it easily by changing the alert statement to reflect which port you are accetping dns responses into ... rather than $HOME_NET :1023 .. since you are accepting dns reponses on port 53 make sure that port 53 is outside the range of the alert . While this behavior of a dns server to send response to a port less than 1024 is atypical.. it is not unheard of. I think the best suggestion I could make is that you might try a pass rule which limits the responses accepted to be sourced from your DNS servers alone .. that way you still catch anyone trying to get to your lan via port 53.. but you can be reasonably sure that such an attack wont come from a dns server. .... oh and put your pass rule ahead of this alert statement :) you definately do not want to remove the statement as it would allow a rather simple hole in your IDS. ie anyone could send you a udp flood at port 53.. not a happy situation. good luck Madhav Diwan Rich Adamson wrote:
Wonder if someone can help explain the following rule. I seem to be getting a lot of what appears to be valid DNS lookups to our primary DNS server with both a "source and destination port of 53" (as observed with a Sniffer). (Snort v1.8.1) alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:2;) The typical alert looks like: [**] MISC source port 53 to <1024 [**] 10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53 UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF Len: 37 Disabling the above rule stops the alerts, but I'm not sure if that is the right thing to do. The DNS server responds correctly to each of these requests. Thoughts??? Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Message not available
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
- Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)