[Snort-users] Can I stop these port 53 detects?

Phil Wood cpw at ...440...
Thu Jun 21 17:50:44 EDT 2001


You need some pass rules for 53 -> 53.  And you need to fix the
<1024 rule.  It probably has a :1024 in it.  That catches legitimate
dns of the form 1024 -> 53.  Change it to :1023.

On Thu, Jun 21, 2001 at 08:06:09PM +0000, info.sec at ...2365... wrote:
> Greetings,
> 
> I hope this isn't in a FAQ somewhere - I couldn't find 
> it.
> 
> I'm running Snort 1.7 on an OpenBSD 2.8 system.
> I have a line in my snort.conf file like this:
> 
> # Define the addresses of DNS servers and other hosts
> var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32]
> 
> 
> But my alert log still fills up with these:
> 
> [**] MISC source port 53 to <1024 [**]
> 06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 1.2.3.4:685
> UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF
> Len: 185
> 
> Where 1.2.3.4 is the outside interface of my firewall.
> 
> Is there anything I can do to stop Snort from keying on 
> these port 53 packets from one of our DNS servers?
> 
> TIA!
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list