[Snort-users] MISC source port 53

Jason Haar Jason.Haar at ...294...
Sun Apr 8 22:21:07 EDT 2001


I'm starting to see a lot of "MISC source port 53 to <1023" hits. I think
it's due to the rules update I did last week, but I think it's causing heaps
of false positives.

I sniffed out a few - here's what tcpdump reports:

14:00:28.890720 12.26.84.131.53 > 203.167.239.194.53:  39188 A?
trimble.co.nz. (31) (DF)
14:00:28.892319 203.167.239.194.53 > 12.26.84.131.53:  39188* 0/1/0 (84)
14:00:47.116723 198.186.203.85.53 > 203.167.239.194.53:  18947 MX?
trimble.co.nz. (31)
14:00:47.118779 203.167.239.194.53 > 198.186.203.85.53:  18947* 1/3/3 MX
hades.trimble.co.nz. 10 (163)
14:03:16.556402 202.101.38.219.53 > 203.167.239.194.53:  2382 A?
trimble.co.nz. (31) (DF)
14:03:16.557736 203.167.239.194.53 > 202.101.38.219.53:  2382* 0/1/0 (84)


Looks to me like a DNS server looking up our NS, then doing a MX record
lookup. Nothing suspicious about that except that it's UDP source port is 53
instead of > 1023. 

Looking these addresses up has so far returned either DNS or SMTP servers -
which sort-a follows :-) Strangly enough, the SMTP servers have all been
Unix ones - which sort of implies the DNS servers will also be Unix. So what
DNS server uses port 53 for sending standard DNS queries?


-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list