[Snort-users] my logs is flooding with snort w/ some weird message about port 53

alexus ml at ...1718...
Tue Sep 4 13:14:02 EDT 2001


hm okay i did that

same thing...

coment out doesn't make sense.. you gotta specify to use port >1023

----- Original Message -----
From: "Ramin Alidousti" <ramin at ...2444...>
To: "alexus" <ml at ...1718...>
Cc: "Ramin Alidousti" <ramin at ...2444...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, September 04, 2001 4:09 PM
Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird
message about port 53


> No, the opposite. Comment it out:
>
> options {
> ...
> // query-source address * port 53;
> ...
> };
>
> and restart your named:
>
> ndc restart
>
> Ramin
>
> On Tue, Sep 04, 2001 at 04:04:27PM -0400, alexus wrote:
>
> > i added
> >
> > query-source address * port 53;
> >
> > in options in named.conf
> >
> > those messages didn't disapperad:(
> >
> > ----- Original Message -----
> > From: "Ramin Alidousti" <ramin at ...2444...>
> > To: "alexus" <ml at ...1718...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Tuesday, September 04, 2001 3:30 PM
> > Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird
> > message about port 53
> >
> >
> > > I think that your dns server (named) has been told to send
> > > out queries with port (53). These are the responses coming
> > > back. Take a look at "/etc/named.conf" and see if you have
> > > such an entry:
> > >
> > > options {
> > > ...
> > > query-source address * port 53;
> > > ...
> > > };
> > >
> > > If you comment this out then the queries sent out by your
> > > server will be from the unprivileged ports (>1023) and sort
> > > will not complain. Otherwise, take a look at:
> > >
> > > misc.rules:
> > >
> > > alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port
53 to
> > <1024"; classtype:bad-unknown; sid:515; rev:2;)
> > >
> > > Hope it helps,
> > > Ramin
> > >
> > >
> > >
> > > On Tue, Sep 04, 2001 at 02:47:19PM -0400, alexus wrote:
> > >
> > > > hello
> > > >
> > > > for some reason i get a lot of traffic on my port 53, even though my
> > > > nameserver is closed for public, can someone explain me what does
that
> > mean?
> > > >
> > > > Sep  4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to
<1024
> > > > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > > > 24.69.255.195:53 -> 66.92.98.145:53
> > > > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to
<1024
> > > > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > > > 194.67.2.114:53 -> 66.92.98.145:53
> > > > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to
<1024
> > > > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > > > 207.236.57.98:53 -> 66.92.98.145:53
> > > > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to
<1024
> > > > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > > > 207.236.57.98:53 -> 66.92.98.145:53
> > > >
> > > > just for example right now it's 2:45pm and since morning i already
got
> > > >
> > > > su-2.05# grep -c "MISC source port 53" /var/log/all.log
> > > > 9222
> > > > su-2.05#
> > > >
> > > > of those entryes in my log
> > > >
> > > > please help
> > > >
> > > > if this a legit traffic which rule i can comment out so it wont show
in
> > my
> > > > logs? and if this traffic is legit why is it shows as "potentially
bad
> > > > traffic"?
> > > >
> > > > thanks in advance
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
>





More information about the Snort-users mailing list