OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bill Gercken (bgerckenprovidentanalysis.com)
Date: Thu Mar 15 2001 - 05:05:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Does that imply that we should perhaps remove it from the perimeter sensor
    and only use it on the internal sensors?
    Also, is there a way to allow normal DNS traffic to be ignored by this rule?

    -bill 

    --
William C. Gercken
Provident Analysis Corporation
bgerckenprovidentanalysis.com

    -----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Erik Fichtner
Sent: Wednesday, March 14, 2001 8:34 PM
To: Ian Campbell
Cc: 'snort-userslists.sourceforge.net'
Subject: Re: [Snort-users] [**] MISC source port 53 to <1023 [**]

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> Can anyone give me more info on this particular rule or the details of any
> exploits it's supposed to catch?

    If you had a stateless firewall, say something like a bunch of cisco router
access-lists, you would probably allow queries from some machines to port
53,
because you would want to make DNS requests..  And since your packet filter
would be stateless, you would want to allow replies from the nameservers,
which is using source port 53.

    Right?

    Okay.. so this sort of thing was conceived back in the day when you could be
fairly certain that the Average Guy couldn't come along and craft a custom
packet.  But now, Average Guy can create all manner of crap on the wire, and
making his packets claim to be from port 53 might just get them through your
wimpy stateless firewall, if you happen to have that.

    And thus, why there's a rule to catch that kind of thing...  Except that
it falses a lot.

    - --
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjqwG/gACgkQQ7EzrewLMS0wIQCbBwRLVWrL0ItXRm23jA3UX4km
xl0AoLPSKIBNnRZR3EubxVEoFZa9kUzY
=ofJF
-----END PGP SIGNATURE-----

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users