[Snort-users] MISC source port 53 to <1024 question

Rich Adamson radamson at ...2127...
Sun Oct 7 17:41:02 EDT 2001


Wonder if someone can help explain the following rule. I seem to be
getting a lot of what appears to be valid DNS lookups to our primary
DNS server with both a "source and destination port of 53" (as observed
with a Sniffer). (Snort v1.8.1)

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown; 
sid:515; rev:2;)

The typical alert looks like:

[**] MISC source port 53 to <1024 [**]
10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
Len: 37

Disabling the above rule stops the alerts, but I'm not sure if that is
the right thing to do. The DNS server responds correctly to each of these
requests.

Thoughts???

Rich





More information about the Snort-users mailing list