Re: snort and port 53 <-> 53 false positives
From: Reiner Griess (mynewnews@gmx.net)Date: 04/09/02
- Next message: Duane Arnold: "Re: Firewall for Windows 2000 Server?"
- Previous message: CJ: "Re: Sygate Spyware? - I don't think so...."
- In reply to: Keith W. McCammon: "Re: snort and port 53 <-> 53 false positives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: mynewnews@gmx.net (Reiner Griess) Date: 9 Apr 2002 01:30:10 GMT
Yes, I've enterd all nameservers listed in
/var/named/namedb/root.cache. Those IPs are listed in $DNS_SERVERS in
my snort.conf. I receive all these false positives. The hosts involved
are nameservers or somthing harmless:
$ host 212.121.128.2
Name: ns1.de.colt.net
Address: 212.121.128.2
$ host 193.171.255.34
Name: sss-at.denic.de
Address: 193.171.255.34
$ host 192.55.83.30
Name: m.gtld-servers.net
Address: 192.55.83.30
...
Any more ideas?
thank you
reiner (and good night :)
In article <a8t69b$v5gui$1@ID-59806.news.dfncis.de>, Keith W. McCammon wrote:
> Did you specify the appropriate addresses as name servers within the
> snort.conf file?
>
> --
> Keith W. McCammon
>
>
> "Reiner Griess" <mynewnews@gmx.net> wrote in message
> news:slrnab45nc.bj8.mynewnews@yesyesyo.triple-y.org...
>> Hi there,
>>
>> I've installed snort 1.8.1 and receive a lot of false positives
>> because of the traffic between my caching nameserver and the root
>> nameserver.
>>
>> [**] [1:515:2] MISC source port 53 to <1024 [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2]
>> 04/08-21:38:07.812879 80.131.85.157:53 -> 193.141.40.42:53
>> UDP TTL:64 TOS:0x0 ID:65337 IpLen:20 DgmLen:59
>> Len: 39
>>
>> [**] [1:515:2] MISC source port 53 to <1024 [**]
>> [Classification: Potentially Bad Traffic] [Priority: 2]
>> 04/08-21:38:07.886707 193.141.40.42:53 -> 80.131.85.157:53
>> UDP TTL:244 TOS:0x0 ID:30671 IpLen:20 DgmLen:109 DF
>> Len: 89
>>
>>
>> A pass rule can solve the problem:
>>
>> pass udp any 53 -> $tun0_ADDRESS 53
>> # (tun0 is my external interface)
>>
>>
>> but this way somebody can flood my port 53 with packets from port 53,
>> right?
>> Another way to solve the problem may be to comment out the following
>> rule in misc.rules:
>>
>> alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port
>> 53 to <1024"; fla gs:S; reference:arachnids,07; classtype:bad-unknown;
>> sid:504; rev:2;)
>>
>>
>> What is the best way to get around this false positive??
>>
>> Thanks a lot
>> reiner
>>
>> (sorry for crossposting... my fingers were a bit too fast :)
>
>
- Next message: Duane Arnold: "Re: Firewall for Windows 2000 Server?"
- Previous message: CJ: "Re: Sygate Spyware? - I don't think so...."
- In reply to: Keith W. McCammon: "Re: snort and port 53 <-> 53 false positives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
