[Snort-users] MISC source port 53

Thorin thorinoakenshield at ...422...
Mon Apr 9 10:55:35 EDT 2001


It could be that they have set the query-source address variable to port 53
so they can traverse their firewall.
    From named.conf:
        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out:
        // query-source address * port 53;

--Thorin


----- Original Message -----
From: "Jason Haar" <Jason.Haar at ...294...>
To: "snort mailing list" <snort-users at lists.sourceforge.net>
Sent: Sunday, April 08, 2001 22:21
Subject: [Snort-users] MISC source port 53


> I'm starting to see a lot of "MISC source port 53 to <1023" hits. I think
> it's due to the rules update I did last week, but I think it's causing
heaps
> of false positives.
>
> I sniffed out a few - here's what tcpdump reports:
>
> 14:00:28.890720 12.26.84.131.53 > 203.167.239.194.53:  39188 A?
> trimble.co.nz. (31) (DF)
> 14:00:28.892319 203.167.239.194.53 > 12.26.84.131.53:  39188* 0/1/0 (84)
> 14:00:47.116723 198.186.203.85.53 > 203.167.239.194.53:  18947 MX?
> trimble.co.nz. (31)
> 14:00:47.118779 203.167.239.194.53 > 198.186.203.85.53:  18947* 1/3/3 MX
> hades.trimble.co.nz. 10 (163)
> 14:03:16.556402 202.101.38.219.53 > 203.167.239.194.53:  2382 A?
> trimble.co.nz. (31) (DF)
> 14:03:16.557736 203.167.239.194.53 > 202.101.38.219.53:  2382* 0/1/0 (84)
>
>
> Looks to me like a DNS server looking up our NS, then doing a MX record
> lookup. Nothing suspicious about that except that it's UDP source port is
53
> instead of > 1023.
>
> Looking these addresses up has so far returned either DNS or SMTP
servers -
> which sort-a follows :-) Strangly enough, the SMTP servers have all been
> Unix ones - which sort of implies the DNS servers will also be Unix. So
what
> DNS server uses port 53 for sending standard DNS queries?
>
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list