[Snort-users] MISC source port 53
Berend De Schouwer
bds at ...1654...
Mon Apr 9 03:10:35 EDT 2001
On 09 Apr 2001 14:21:07 +1200, Jason Haar wrote:
> I'm starting to see a lot of "MISC source port 53 to <1023" hits. I think
> it's due to the rules update I did last week, but I think it's causing heaps
> of false positives.
[ snip ]
> Looks to me like a DNS server looking up our NS, then doing a MX record
> lookup. Nothing suspicious about that except that it's UDP source port is 53
> instead of > 1023.
I've seen this too, and changed my rule in misc.rules to
alert udp !$DNS_SERVERS 53 -> !$DNS_SERVERS :1024 (msg:"MISC source port
53 to <1024";)
and defined DNS_SERVERS. Did the same for the TCP rule.
> Looking these addresses up has so far returned either DNS or SMTP servers -
> which sort-a follows :-) Strangly enough, the SMTP servers have all been
> Unix ones - which sort of implies the DNS servers will also be Unix. So what
> DNS server uses port 53 for sending standard DNS queries?
Old(er) versions of BIND. Its only in version 8 that it became optional
to use a port above 1024.
> Jason Haar
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Berend De Schouwer, +27-11-712-1435, UCS
More information about the Snort-users