[Snort-users] my logs is flooding with snort w/ some weird message about port 53

Martin Roesch roesch at ...1935...
Tue Sep 4 14:31:02 EDT 2001


Turn off that rule or tune it to ignore your DNS servers.  Just because
a rule is in the set doesn't mean you have to run it.

     -Marty

alexus wrote:
> 
> hello
> 
> for some reason i get a lot of traffic on my port 53, even though my
> nameserver is closed for public, can someone explain me what does that mean?
> 
> Sep  4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 24.69.255.195:53 -> 66.92.98.145:53
> Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 194.67.2.114:53 -> 66.92.98.145:53
> Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 207.236.57.98:53 -> 66.92.98.145:53
> Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 207.236.57.98:53 -> 66.92.98.145:53
> 
> just for example right now it's 2:45pm and since morning i already got
> 
> su-2.05# grep -c "MISC source port 53" /var/log/all.log
> 9222
> su-2.05#
> 
> of those entryes in my log
> 
> please help
> 
> if this a legit traffic which rule i can comment out so it wont show in my
> logs? and if this traffic is legit why is it shows as "potentially bad
> traffic"?
> 
> thanks in advance
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc.
roesch at ...1935... - http://www.sourcefire.com
Snort - Open Source Network IDS! http://www.snort.org




More information about the Snort-users mailing list