Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do I stop the following

From: Phil Wood <cpw () lanl gov>
Date: Sat, 22 Dec 2001 12:24:24 -0700
Note the port 53 to port 53.  This happens alot with some operating systems
which like to use a source port equal to the destination port and not the]
defacto 1024 or greater.  The problem is crackers like to scan networks
using low source ports on the assumption that a lot of older stateless firewalls
are configured to let certain critical services in.  (In this case Domain
Name Service, probably the MOST critical of all services).

What we have done is define the systems which are allowed to make domain
name quereies out of our network (those would be our internal nameservers)
and allow only those systems to communicate with the outside.  The multitude
of client systems are configured to use our internal servers.  Once you
know your basic constraints defined by your security policy, you can tweek
your rules sets by adding some "pass" rules (along with the -o switch) for
the systems in your internal network which might have gone astray (kernel]
network stack wise [cause it will be a cold day in Hell before a vendor 
fixes something like that])).

DNS is not the only service which can generate "alerts" like you have asked
about.  So, bottom line, you got to do a little work to fine tune your
rule set based on your security policy among other things.  

Just the tip of the iceberg.  Got to go.
 
On Fri, Dec 21, 2001 at 06:38:22AM -0800, Trevor and Cindy wrote:

Hi,
 
A Snort newbie here.  I was wondering what the following alert is and
how do I stop it, I sure hope it is a false positive since I get
thousands of them a day which really bogs down snortsnarf.  The strange
thing is I do not see the IP addresses that cause these things showing
up on the firewall logs.
 
[**] [1:515:2] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/17-08:11:00.311810 216.115.108.33:53 -> 63.168.165.253:53
UDP TTL:53 TOS:0x0 ID:9702 IpLen:20 DgmLen:517
Len: 497
 
I have been looking through the mailing list, but have not seen anything
that shows how to stop this.  Any help would be greatly appreciated.
 
Thanks
 
Trevor 


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: