[Snort-users] [**] MISC source port 53 to <1023 [**]

Bill Gercken bgercken at ...1569...
Thu Mar 15 06:05:05 EST 2001

Does that imply that we should perhaps remove it from the perimeter sensor
and only use it on the internal sensors?
Also, is there a way to allow normal DNS traffic to be ignored by this rule?


William C. Gercken
Provident Analysis Corporation
bgercken at ...1569...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erik Fichtner
Sent: Wednesday, March 14, 2001 8:34 PM
To: Ian Campbell
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] [**] MISC source port 53 to <1023 [**]

Hash: SHA1

On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> Can anyone give me more info on this particular rule or the details of any
> exploits it's supposed to catch?

If you had a stateless firewall, say something like a bunch of cisco router
access-lists, you would probably allow queries from some machines to port
because you would want to make DNS requests..  And since your packet filter
would be stateless, you would want to allow replies from the nameservers,
which is using source port 53.


Okay.. so this sort of thing was conceived back in the day when you could be
fairly certain that the Average Guy couldn't come along and craft a custom
packet.  But now, Average Guy can create all manner of crap on the wire, and
making his packets claim to be from port 53 might just get them through your
wimpy stateless firewall, if you happen to have that.

And thus, why there's a rule to catch that kind of thing...  Except that
it falses a lot.

- --
Erik Fichtner
Security Administrator, ServerVault, Inc.
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list