[Snort-users] Version 1.8-beta6 (Build 26)

Phil Wood cpw at ...440...
Wed Jun 20 16:56:58 EDT 2001


Folks,

You will get inundated with MISC source port 53 to <1024 alerts unless
you fix the following rules:

misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1024 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;)
misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;)
misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:1;)

Notice the :1024.  That means <= (less than or equal to).  Which catches
all the legitimate lowport to 1024 return packets.  These rules should be:

misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:1;)
misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:1;)
misc.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; sid:515; rev:1;)

You will still get a bunch of false positives from operating systems with
broken ip stacks(or lack there of).

Thanks,

Phil




More information about the Snort-users mailing list