[Snort-users] UDP Alerts

Matt Kettler mkettler at ...4108...
Mon Jan 14 10:11:02 EST 2002


I have not seen IM's or streaming media sources trigger this signature yet, 
but I've seen some old, strange and/or misconfigured DNS servers do this. 
It seems at one point in history (long, long, ago) DNS servers used port 0 
in addition to port 53..  I'll definitely keep an eye out for this newer 
source of triggering..


For those who want more details about the packets I saw they were 
(some_outside_dns):53 -> (my_local_dns):0 UDP with a body containing a 
valid DNS query response.

At 08:34 AM 1/13/2002 -0500, you wrote:
>I suspected there was a differing definition for "authentication" being used
>during the discussion!
>
>On an unrelated note, is anyone (everyone) seeing streaming media sources
>(Akamai, RealMedia, AOL and others) trigger the "BAD-TRAFFIC udp port 0"
>alert?  I have to disable that alert manually on each update as a result.
>Is there ever a case where one must watch this traffic for surreptitious
>activity?
>
>Frank
>
>-----Original Message-----
>From: Saad Kadhi [mailto:bsdguy at ...4401...]
>Sent: Sunday, January 13, 2002 8:18 AM
>To: Frank Reid
>Cc: Snort Users; kamesh_rajaram at ...4543...
>Subject: RE: [Snort-users] Patch for ACID....!!
>
>
>On Sun, 2002-01-13 at 14:01, Frank Reid wrote:
> > It could be a useful feature to have both an "anonymous" and
>"administrator"
> > (authenticated) mode on ACID.  The anonymous user would be allowed to
> > search/display alerts, graph data, etc., but not delete, archive, etc.  In
> > fact, it would be great to support granular accounts in both ACID and
> > Demarc, probably associated with specified database criteria such as the
> > alert type, address space, etc.  So, if "User X" is associated with
>address
> > 1.2.3.0/24 and has non-administrative permissions (no delete), "User X" is
> > only able to query within those bounds after authenticating.  "User Y" is
>a
> > website administrator, so he only has non-administrative permissions for
> > 1.2.3.4/32 and only for alerts WEB-IIS, WEB-MISC, etc.
>Now I got the picture. I thought it was just a need to authenticate
>access to the acid subdir. My sincere apologies to kamesh for such a
>misunderstanding.
>
>Regards.
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list