Hi!,
Quote:> Because of successfull response on my previous question
> I hope you can help me with the this question as well.
> Snort has been installed default except for the HOME_NET parameter.
> However I receive a lot of the next alert messages, which are
> basically DNS/UDP requests.
> Oct 3 15:42:07 systemname snort[609]:
> [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]:
> {UDP} 1.1.1.31:53 -> 2.2.2.131:53
> Any idea how to reduce these amount of messages?
You should be able to modify the snort.conf rules to stop SNORT looking for
this network condition if you want. Just find the following rule:
alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504;
rev:2;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; classtype:bad-unknown; sid:515; rev:2;)
And comment them out by placing a ";" in front of them. Once you have done
that, you will need to stop snort and then restart it again. After that, you
shouldn't be bothered by that error message again (or at least snort won't be
looking for it and raise an alert).
See ya
Dean Thompson
--
+____________________________+____________________________________________+
| Bach. Computing (Hons) | ICQ - 45191180 |
| PhD Student | Office - <Off-Campus> |
| School Comp.Sci & Soft.Eng | Phone - +61 3 9903 2787 (Gen. Office) |
| MONASH (Caulfield Campus) | Fax - +61 3 9903 1077 |
| Melbourne, Australia | |
+----------------------------+--------------------------------------------+
by