[Snort-users] RE: Snort-users digest, Vol 1 #1701 - 14 msgs

Michael B. Easter mb.easter at ...5068...
Tue Mar 19 05:58:04 EST 2002


What you are seeing IS DNS traffic.  BIND DNS uses UDP and TCP port 53 on
the server, and a dynamic UDP port on the client to handle
requests/responses.  In the event port 53 is not available on  either
machine, it will search for a dynamic port to use instead.  I'd recommend
writing a rule to accept/ignore traffic both to and from port 53 (local and
remote).  It is possible to have a situation where dynamic ports are used on
both ends, but I haven't seen it actually happen myself, it usually uses 53
on one end or the other.

Mike E.



Message: 4
Date: Tue, 19 Mar 2002 10:57:37 +0530
From: Dushyanth Harinath <dushy at ...5318...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] DNS portscan alerts
Reply-To: Dushyanth Harinath <dushy at ...5318...>
Organization: Never Mind!!

* Leigh David Heyman <leigh at ...5300...> [020319 04:15]:
>
> >
> > Oh, Sorry , my mistake , but the alerts are from many nameservers, not
> > from a particular one and listing them all is not possible.
> >
>
> True, but are the scans TO several systems or just one or a few... while
> clearly you can't ignore all the external nameservers which are "scanning"
> you, can you possibly exclude your "internal" systems which are being
> "scanned" from the group of systems which spp_portscan is watching aver,
or
> would that simply mean your entire network, and thus disabling
spp_portscan
> altogether?

No , I cant do that because its my public interface.

Lete me explain you better.

                             --------
                             |Router|
                             --------
                               |
                               | eth0 (xxx.xxx.xxx.xxx) public IP
                            ----------
                            | server |
                            |        |
                             ---------
                               | eth1 (192.168.0.1) Local Lan IP
                               | Snort and dnscache
                  ---------------------------
                  |     |    |    |     |   |

                    client machines on lan


Whenever the dnscache running on (192.168.0.1)  queries an external dns
it results in a portscan alert with source from the external dns with dest
as my public interface on the server.

Some of the logs again.

Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP


So, i cant ignore the portscan traffic to the public interface.

Hope i have explained clearly now :)
cheers
dushyanth
--
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy





More information about the Snort-users mailing list