[Snort-users] Can I stop these port 53 detects?
cpw at ...440...
Thu Jun 21 17:50:44 EDT 2001
You need some pass rules for 53 -> 53. And you need to fix the
<1024 rule. It probably has a :1024 in it. That catches legitimate
dns of the form 1024 -> 53. Change it to :1023.
On Thu, Jun 21, 2001 at 08:06:09PM +0000, info.sec at ...2365... wrote:
> I hope this isn't in a FAQ somewhere - I couldn't find
> I'm running Snort 1.7 on an OpenBSD 2.8 system.
> I have a line in my snort.conf file like this:
> # Define the addresses of DNS servers and other hosts
> var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32]
> But my alert log still fills up with these:
> [**] MISC source port 53 to <1024 [**]
> 06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 18.104.22.168:685
> UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF
> Len: 185
> Where 22.214.171.124 is the outside interface of my firewall.
> Is there anything I can do to stop Snort from keying on
> these port 53 packets from one of our DNS servers?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users