[Snort-users] MISC source port 53 to <1024 question

Bruno Gimenes Pereti pereti at ...3411...
Tue Oct 9 07:06:15 EDT 2001


Rich, you replied only for me, I'm forwarding my response to the list.
And you are right, I forgot the ports above 1023...

Bruno.

----- Original Message -----
From: "Rich Adamson" <radamson at ...2127...>
To: "Bruno Gimenes Pereti" <pereti at ...3411...>
Sent: Tuesday, October 09, 2001 11:18 AM
Subject: Re: [Snort-users] MISC source port 53 to <1024 question


>
> The rule below would appear to generate an alert on every "correct"
response
> received from external dns servers (eg, root servers, authoritative
servers),
> and basically defines normal responses.
>
> The original rule (from the snort.org downloads) was intended to generate
an
> alert when the external source used a "source port" of 53 and a
destination
> port below 1023. However, "some" internet devices actually use port 53 for
> both the source and destination port (causing a false positive alert).
> Assuming one would like to be alerted when the source is 53 and the
destination
> port is anything below 1023 except for 53, then it would seem the only
> reasonable logic is to use the original rule along with a "pass" rule
(allowing
> 53 to 53) and the -o startup option (testing order pass|alert|log|...).
>
> Anyone have any thoughts on that?
>
>
> > I'd never made a rule but I think it could be only one:
> >
> > alert udp $EXTERNAL_NET 53 -> $HOME_NET !53 (msg:"MISC source port 53 to
> > <1024"; classtype:bad-unknown; sid:515; rev:2;)
> >
> > Please, correct me if I'm wrong.
> >
> > Bruno.
> >
> >
> > > Hi all,
> > >
> > > sorry for breaking the thread, but I only just subscribed to the list
and
> > > don't have the original message available.
> > >
> > > I'm running a public DNS server and also very often (i.e. every 1 to 2
> > > minutes) see that very log entry.
> > > Because this is to be the first rule I'll write, I'd prefer to verify
it
> > with
> > > you before I enable it.
> > > I would go for
> > >
> > > alert udp $EXTERNAL_NET 53 -> $HOME_NET :52 (msg:"MISC source port 53
to
> > > <1024"; classtype:bad-unknown; sid:515; rev:2;)
> > > alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:1023 (msg:"MISC source port
53
> > to
> > > <1024"; classtype:bad-unknown; sid:515; rev:2;)
> > >
> > > Instead of the single 53 -> $HOME_NET :1023 entry.
> > > Is this correct?
> > >
> > > Thanks,
> > > Michael





More information about the Snort-users mailing list