[Snort-users] MISC source port 53 to <1024 question

Bruno Gimenes Pereti pereti at ...3411...
Tue Oct 9 04:53:11 EDT 2001


I'd never made a rule but I think it could be only one:

alert udp $EXTERNAL_NET 53 -> $HOME_NET !53 (msg:"MISC source port 53 to
<1024"; classtype:bad-unknown; sid:515; rev:2;)

Please, correct me if I'm wrong.

Bruno.


> Hi all,
>
> sorry for breaking the thread, but I only just subscribed to the list and
> don't have the original message available.
>
> I'm running a public DNS server and also very often (i.e. every 1 to 2
> minutes) see that very log entry.
> Because this is to be the first rule I'll write, I'd prefer to verify it
with
> you before I enable it.
> I would go for
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53 to
> <1024"; classtype:bad-unknown; sid:515; rev:2;)
> alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port 53
to
> <1024"; classtype:bad-unknown; sid:515; rev:2;)
>
> Instead of the single 53 -> $HOME_NET :1023 entry.
> Is this correct?
>
> Thanks,
> Michael





More information about the Snort-users mailing list