AW: [Snort-users] snort filter

Eduard Meiler edik at ...2973...
Wed Sep 26 13:49:03 EDT 2001


Hallo Erek,

the DSN ist not ours.

the rule for that is like here, so how I shloud change this ?

alert UDP $EXTERNAL_NET 53 -> ?HOME_NET :1023 (msg:"MISC sourse port 53 to <
1024"; classtype bad-unknown; sid:515; rev:2;)


regards
eduard

> -----Ursprungliche Nachricht-----
> Von: Erek Adams [mailto:erek at ...577...]
> Gesendet: Mittwoch, 26. September 2001 22:31
> An: Eduard Meiler
> Cc: snort-users at lists.sourceforge.net
> Betreff: Re: [Snort-users] snort filter
>
>
> On Wed, 26 Sep 2001, Eduard Meiler wrote:
>
> > after installing snort I get a lot of these messages about
> the traffic: Make
> > it sense to disable this function, or is there a way to filter the
> > unnecessary information ??
>
> It depends.
>
> > Sep 26 21:00:00 wall snort: [1:515:2] MISC source port 53 to <1024
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 193.141.40.1:53 -> 192.168.7.200:53
>
> Consider the source and destination.  Source was from
> xlink1.xlink.net which
> is a DNS server.  Desitnation was a private net.  Now if that
> internal machine
> made a DNS query then this might be normal, seeing as you can
> specify the port
> to connect back on in the BIND configs.
>
> Is that one of the DNS servers you use?  If not, then
> something might be up.
> If so, build a pass rule for it if needed, the use the -o
> switch to swap the
> order of the rules.
>
> Hope this helps!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>





More information about the Snort-users mailing list