[Snort-users] MISC source port 53 to <1024 question

Michael Ritzert michael.ritzert at ...3728...
Tue Oct 9 03:57:11 EDT 2001


Hi all,

sorry for breaking the thread, but I only just subscribed to the list and 
don't have the original message available.

I'm running a public DNS server and also very often (i.e. every 1 to 2 
minutes) see that very log entry.
Because this is to be the first rule I'll write, I'd prefer to verify it with 
you before I enable it.
I would go for

alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53 to 
<1024"; classtype:bad-unknown; sid:515; rev:2;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port 53 to 
<1024"; classtype:bad-unknown; sid:515; rev:2;)

Instead of the single 53 -> $HOME_NET :1023 entry.
Is this correct?

Thanks,
Michael


==========================
FROM: Madhav Diwan
DATE: 10/07/2001 20:10:36
SUBJECT: RE:  [Snort-users] MISC source port 53 to <1024 question

 Your problem is not really a major problem. You can fix it easily by changing
the alert statement to
reflect which port you are accetping dns responses into ... rather than
 $HOME_NET :1023  .. since you are
accepting dns reponses on port 53  make sure that port 53 is outside the
range of the alert .
[...]

Rich Adamson wrote:

> Wonder if someone can help explain the following rule. I seem to be
> getting a lot of what appears to be valid DNS lookups to our primary
> DNS server with both a "source and destination port of 53" (as observed
> with a Sniffer). (Snort v1.8.1)
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port
53 to <1024"; classtype:bad-unknown;
> sid:515; rev:2;)
>
> The typical alert looks like:
>
> [**] MISC source port 53 to <1024 [**]
> 10/07-20:02:56.074735 161.69.3.150:53 -> 206.222.193.73:53
> UDP TTL:240 TOS:0x0 ID:29841 IpLen:20 DgmLen:57 DF
> Len: 37
[...]




More information about the Snort-users mailing list