[Snort-users] Can I stop these port 53 detects?

info.sec at ...2365... info.sec at ...2365...
Thu Jun 21 16:06:09 EDT 2001


Greetings,

I hope this isn't in a FAQ somewhere - I couldn't find 
it.

I'm running Snort 1.7 on an OpenBSD 2.8 system.
I have a line in my snort.conf file like this:

# Define the addresses of DNS servers and other hosts
var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32]


But my alert log still fills up with these:

[**] MISC source port 53 to <1024 [**]
06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 1.2.3.4:685
UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF
Len: 185

Where 1.2.3.4 is the outside interface of my firewall.

Is there anything I can do to stop Snort from keying on 
these port 53 packets from one of our DNS servers?

TIA!




More information about the Snort-users mailing list