[Snort-users] MISC source port 53 to <1024 question

Madhav Diwan mdiwan at ...3717...
Sun Oct 7 20:11:02 EDT 2001


 Your problem is not really a major problem. You can fix it easily by changing the alert statement to
reflect which port you are accetping dns responses into ... rather than  $HOME_NET :1023  .. since you are
accepting dns reponses on port 53  make sure that port 53 is outside the range of the alert .

While this behavior of a dns server to send response to a port less than 1024 is atypical.. it is not
unheard of.

I think the best suggestion I could make is that you might try a pass rule  which limits the responses
accepted to be sourced from your DNS servers alone .. that way you still catch anyone trying to get to your
lan via port 53.. but you can be reasonably sure that such an attack wont come from a dns server.  .... oh
and put your pass rule  ahead of this alert statement :)

you definately do not want to remove the statement as it would allow a rather simple hole in your IDS. ie
anyone could send you a udp flood at port 53.. not a happy situation.

good luck

Madhav Diwan



Rich Adamson wrote:

> Wonder if someone can help explain the following rule. I seem to be
> getting a lot of what appears to be valid DNS lookups to our primary
> DNS server with both a "source and destination port of 53" (as observed
> with a Sniffer). (Snort v1.8.1)
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; classtype:bad-unknown;
> sid:515; rev:2;)
>
> The typical alert looks like:
>
> [**] MISC source port 53 to <1024 [**]
> 10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
> UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
> Len: 37
>
> Disabling the above rule stops the alerts, but I'm not sure if that is
> the right thing to do. The DNS server responds correctly to each of these
> requests.
>
> Thoughts???
>
> Rich
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list