[Snort-users] Can I stop these port 53 detects?

Erik Norman erik.norman at ...2312...
Wed Jun 27 09:57:23 EDT 2001


It is with interest i read this thread, as i am experiencing the same
problem.

In my local.rules file, which btw is not commented out in snort.conf, i have
entered

	pass tcp <a certain ip> 53 -> <our dns> 53
	pass udp <a certain ip> 53 -> <our dns> 53


Snort have been completely restarted, without errors.

I am using standard Snort 1.7 on RH6.2.


I still receive entries like this:

Jun 27 15:32:20 localhost snort[32395]: MISC source port 53 to <1024: <a
specific ip>:53 -> <our dns>:53


Are the pass-rules entered above correct? Is 'pass' working satisfacory in
1.7? Why is the sky blue?

Regards
Erik

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Phil Wood
> Sent: den 22 juni 2001 01:44
> To: info.sec at ...2365...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Can I stop these port 53 detects?
>
>
> On Thu, Jun 21, 2001 at 10:20:14PM +0000, info.sec at ...2365... wrote:
> > Thanks for the feedback!
> >
> > I tried this (in local.rules):
> >
> > pass tcp dns.server.ip.address 53 -> $HOME_NET any
> > (msg: "no problem";)
> >
> > (That's all one line.  My e-mail client may have wrapped
> > it.)
> >
> > Then I killed Snort and restarted with the -o option.
> > I still get a log full of alerts.  [SIGH]
>
> Did you also fix the rules that think that :1024 means < 1024, when
> they should have :1023 which means <= 1023 which is the same as < 1024.
> Did I make myself clear.  %^)
>
> >
> > >
> > > You need some pass rules for 53 -> 53.  And you need to fix the
> > > <1024 rule.  It probably has a :1024 in it.  That catches legitimate
> > > dns of the form 1024 -> 53.  Change it to :1023.
> > >
> > > On Thu, Jun 21, 2001 at 08:06:09PM +0000, info.sec at ...2365... wrote:
> > > > Greetings,
> > > >
> > > > I hope this isn't in a FAQ somewhere - I couldn't find
> > > > it.
> > > >
> > > > I'm running Snort 1.7 on an OpenBSD 2.8 system.
> > > > I have a line in my snort.conf file like this:
> > > >
> > > > # Define the addresses of DNS servers and other hosts
> > > > var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32]
> > > >
> > > >
> > > > But my alert log still fills up with these:
> > > >
> > > > [**] MISC source port 53 to <1024 [**]
> > > > 06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 1.2.3.4:685
> > > > UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF
> > > > Len: 185
> > > >
> > > > Where 1.2.3.4 is the outside interface of my firewall.
> > > >
> > > > Is there anything I can do to stop Snort from keying on
> > > > these port 53 packets from one of our DNS servers?
> > > >
> > > > TIA!
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > --
> > > Phil Wood, cpw at ...440...
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw at ...440...
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list