[Snort-users] misc.rules error

Tony Lill ajlill at ...1676...
Sat Apr 28 00:43:33 EDT 2001


In the misc.rules file from cvs for Version 1.8-beta3 (Build 12), the
following rule catches normal DNS replys to port 1024 (which one of
my nameservers just picked for it's query port).

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown;) 

--
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"




More information about the Snort-users mailing list