Snort mailing list archives

Re: MISC source port 53 to <1024 question

From: "Bruno Gimenes Pereti" <pereti () ump edu br>
Date: Tue, 9 Oct 2001 08:53:23 -0300

I'd never made a rule but I think it could be only one:

alert udp $EXTERNAL_NET 53 -> $HOME_NET !53 (msg:"MISC source port 53 to
<1024"; classtype:bad-unknown; sid:515; rev:2;)

Please, correct me if I'm wrong.

Bruno.

Hi all,

sorry for breaking the thread, but I only just subscribed to the list and
don't have the original message available.

I'm running a public DNS server and also very often (i.e. every 1 to 2
minutes) see that very log entry.
Because this is to be the first rule I'll write, I'd prefer to verify it

with

you before I enable it.
I would go for

alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53 to
<1024"; classtype:bad-unknown; sid:515; rev:2;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port 53

to

<1024"; classtype:bad-unknown; sid:515; rev:2;)

Instead of the single 53 -> $HOME_NET :1023 entry.
Is this correct?

Thanks,
Michael



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MISC source port 53 to <1024 question Rich Adamson (Oct 07)
- Re: MISC source port 53 to <1024 question Madhav Diwan (Oct 07)
- <Possible follow-ups>
- RE: MISC source port 53 to <1024 question Michael Ritzert (Oct 09)
  - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)
    - Message not available
    - Re: MISC source port 53 to <1024 question Bruno Gimenes Pereti (Oct 09)