[Snort-users] [**] MISC source port 53 to <1023 [**]

Erik Fichtner emf at ...367...
Wed Mar 14 20:33:45 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> Can anyone give me more info on this particular rule or the details of any
> exploits it's supposed to catch?

If you had a stateless firewall, say something like a bunch of cisco router
access-lists, you would probably allow queries from some machines to port 53,
because you would want to make DNS requests..  And since your packet filter
would be stateless, you would want to allow replies from the nameservers,
which is using source port 53.  

Right?

Okay.. so this sort of thing was conceived back in the day when you could be
fairly certain that the Average Guy couldn't come along and craft a custom
packet.  But now, Average Guy can create all manner of crap on the wire, and
making his packets claim to be from port 53 might just get them through your
wimpy stateless firewall, if you happen to have that.

And thus, why there's a rule to catch that kind of thing...  Except that
it falses a lot.
 
- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjqwG/gACgkQQ7EzrewLMS0wIQCbBwRLVWrL0ItXRm23jA3UX4km
xl0AoLPSKIBNnRZR3EubxVEoFZa9kUzY
=ofJF
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list