[Snort-users] my logs is flooding with snort w/ some weird message about port 53

alexus ml at ...1718...
Tue Sep 4 11:48:03 EDT 2001


hello

for some reason i get a lot of traffic on my port 53, even though my
nameserver is closed for public, can someone explain me what does that mean?

Sep  4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
24.69.255.195:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
194.67.2.114:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
207.236.57.98:53 -> 66.92.98.145:53
Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
207.236.57.98:53 -> 66.92.98.145:53

just for example right now it's 2:45pm and since morning i already got

su-2.05# grep -c "MISC source port 53" /var/log/all.log
9222
su-2.05#

of those entryes in my log

please help

if this a legit traffic which rule i can comment out so it wont show in my
logs? and if this traffic is legit why is it shows as "potentially bad
traffic"?

thanks in advance






More information about the Snort-users mailing list