[Snort-users] UDP Alerts
mkettler at ...4108...
Mon Jan 14 10:11:02 EST 2002
I have not seen IM's or streaming media sources trigger this signature yet,
but I've seen some old, strange and/or misconfigured DNS servers do this.
It seems at one point in history (long, long, ago) DNS servers used port 0
in addition to port 53.. I'll definitely keep an eye out for this newer
source of triggering..
For those who want more details about the packets I saw they were
(some_outside_dns):53 -> (my_local_dns):0 UDP with a body containing a
valid DNS query response.
At 08:34 AM 1/13/2002 -0500, you wrote:
>I suspected there was a differing definition for "authentication" being used
>during the discussion!
>On an unrelated note, is anyone (everyone) seeing streaming media sources
>(Akamai, RealMedia, AOL and others) trigger the "BAD-TRAFFIC udp port 0"
>alert? I have to disable that alert manually on each update as a result.
>Is there ever a case where one must watch this traffic for surreptitious
>From: Saad Kadhi [mailto:bsdguy at ...4401...]
>Sent: Sunday, January 13, 2002 8:18 AM
>To: Frank Reid
>Cc: Snort Users; kamesh_rajaram at ...4543...
>Subject: RE: [Snort-users] Patch for ACID....!!
>On Sun, 2002-01-13 at 14:01, Frank Reid wrote:
> > It could be a useful feature to have both an "anonymous" and
> > (authenticated) mode on ACID. The anonymous user would be allowed to
> > search/display alerts, graph data, etc., but not delete, archive, etc. In
> > fact, it would be great to support granular accounts in both ACID and
> > Demarc, probably associated with specified database criteria such as the
> > alert type, address space, etc. So, if "User X" is associated with
> > 22.214.171.124/24 and has non-administrative permissions (no delete), "User X" is
> > only able to query within those bounds after authenticating. "User Y" is
> > website administrator, so he only has non-administrative permissions for
> > 126.96.36.199/32 and only for alerts WEB-IIS, WEB-MISC, etc.
>Now I got the picture. I thought it was just a need to authenticate
>access to the acid subdir. My sincere apologies to kamesh for such a
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users