[Snort-users] Arghh...how do I stop it doing this!!

Brian Caswell bmc at ...312...
Thu May 3 12:27:53 EDT 2001


Dave Fitches wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF
> 
> [...etc...]
> 
> Damn thing seems to read every DNS query _I_ do as a bloody alert notable
> event!!
> ARRGHH!!!


Don't use any for $HOME_NET and $EXTERNAL_NET

I would simply comment out that rule.  Adding a "pass" rule could lead
to bad things being ignored.  Its trivial to change the src port for
exploits.  

-brian




More information about the Snort-users mailing list