[Snort-users] MISC source port 53

Berend De Schouwer bds at ...1654...
Mon Apr 9 03:10:35 EDT 2001


On 09 Apr 2001 14:21:07 +1200, Jason Haar wrote:
> I'm starting to see a lot of "MISC source port 53 to <1023" hits. I think
> it's due to the rules update I did last week, but I think it's causing heaps
> of false positives.

    [ snip ]
 
> Looks to me like a DNS server looking up our NS, then doing a MX record
> lookup. Nothing suspicious about that except that it's UDP source port is 53
> instead of > 1023. 

I've seen this too, and changed my rule in misc.rules to
alert udp !$DNS_SERVERS 53 -> !$DNS_SERVERS :1024 (msg:"MISC source port
53 to <1024";)

and defined DNS_SERVERS.  Did the same for the TCP rule.

> Looking these addresses up has so far returned either DNS or SMTP servers -
> which sort-a follows :-) Strangly enough, the SMTP servers have all been
> Unix ones - which sort of implies the DNS servers will also be Unix. So what
> DNS server uses port 53 for sending standard DNS queries?

Old(er) versions of BIND.  Its only in version 8 that it became optional
to use a port above 1024.

> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Kind regards,                             
Berend                                  

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS





More information about the Snort-users mailing list