[Snort-users] my logs is flooding with snort w/ some weird message about port 53

alexus ml at ...1718...
Tue Sep 4 14:37:02 EDT 2001


i have in my snort.conf

var HOME_NET $fxp0_ADDRESS
var DNS_SERVERS $HOME_NET

i though it's already in.. i dont want to turn off that rule i want to
configure my bind/named to use higher port then 1023

if someone knows how to do it please let me know

thanks in advance

----- Original Message -----
From: "Martin Roesch" <roesch at ...1935...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, September 04, 2001 9:29 PM
Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird
message about port 53


> Turn off that rule or tune it to ignore your DNS servers.  Just because
> a rule is in the set doesn't mean you have to run it.
>
>      -Marty
>
> alexus wrote:
> >
> > hello
> >
> > for some reason i get a lot of traffic on my port 53, even though my
> > nameserver is closed for public, can someone explain me what does that
mean?
> >
> > Sep  4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 24.69.255.195:53 -> 66.92.98.145:53
> > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 194.67.2.114:53 -> 66.92.98.145:53
> > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 207.236.57.98:53 -> 66.92.98.145:53
> > Sep  4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 207.236.57.98:53 -> 66.92.98.145:53
> >
> > just for example right now it's 2:45pm and since morning i already got
> >
> > su-2.05# grep -c "MISC source port 53" /var/log/all.log
> > 9222
> > su-2.05#
> >
> > of those entryes in my log
> >
> > please help
> >
> > if this a legit traffic which rule i can comment out so it wont show in
my
> > logs? and if this traffic is legit why is it shows as "potentially bad
> > traffic"?
> >
> > thanks in advance
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Martin Roesch - President, Sourcefire Inc.
> roesch at ...1935... - http://www.sourcefire.com
> Snort - Open Source Network IDS! http://www.snort.org
>





More information about the Snort-users mailing list