Snort mailing list archives

Re: MISC source port 53 to <1024 question

From: Madhav Diwan <mdiwan () frontgatesystems com>
Date: Sun, 07 Oct 2001 23:10:36 -0400

 Your problem is not really a major problem. You can fix it easily by changing the alert statement to
reflect which port you are accetping dns responses into ... rather than  $HOME_NET :1023  .. since you are
accepting dns reponses on port 53  make sure that port 53 is outside the range of the alert .

While this behavior of a dns server to send response to a port less than 1024 is atypical.. it is not
unheard of.

I think the best suggestion I could make is that you might try a pass rule  which limits the responses
accepted to be sourced from your DNS servers alone .. that way you still catch anyone trying to get to your
lan via port 53.. but you can be reasonably sure that such an attack wont come from a dns server.  .... oh
and put your pass rule  ahead of this alert statement :)

you definately do not want to remove the statement as it would allow a rather simple hole in your IDS. ie
anyone could send you a udp flood at port 53.. not a happy situation.

good luck

Madhav Diwan



Rich Adamson wrote:

Wonder if someone can help explain the following rule. I seem to be
getting a lot of what appears to be valid DNS lookups to our primary
DNS server with both a "source and destination port of 53" (as observed
with a Sniffer). (Snort v1.8.1)

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown;
sid:515; rev:2;)

The typical alert looks like:

[**] MISC source port 53 to <1024 [**]
10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
Len: 37

Disabling the above rule stops the alerts, but I'm not sure if that is
the right thing to do. The DNS server responds correctly to each of these
requests.

Thoughts???

Rich

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
  - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
    - Message not available
    - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)