|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Caswell (bmc
mitre.org)Date: Thu May 03 2001 - 11:27:53 CDT
Dave Fitches wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF
>
> [...etc...]
>
> Damn thing seems to read every DNS query _I_ do as a bloody alert notable
> event!!
> ARRGHH!!!
Don't use any for $HOME_NET and $EXTERNAL_NET
I would simply comment out that rule. Adding a "pass" rule could lead
to bad things being ignored. Its trivial to change the src port for
exploits.
-brian
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]