Rule: -- Sid: 504 -- Summary: This event is generated when possible non-legitimate traffic is detected that should not be allowed through a firewall. -- Impact: This can be used to pass through a poorly configured firewall. -- Detailed Information: Traffic from TCP port 53 is used by DNS servers for zone transfers. Normal DNS traffic uses the UDP protocol. An attacker could use a TCP source port of 53 to pass through a poorly configured firewall. DNS traffic from port 53 using either UDP or TCP should be to a port above 1023. Ports 1023 and below are privileged. -- Affected Systems: All -- Attack Scenarios: An attacker could use a source port of 53 for TCP connections to bypass a poorly configured firewall. -- Ease of Attack: Simple. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Incoming connections from TCP port 53 should only be allowed to machines that need the ability to do zone tranfers. Connections from TCP port 53 should only be allowed to ports >=1024 on these machines. -- Contributors: Original Rule Writer Unknown Sourcefire Research Team Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu> -- Additional References: Arachnids: http://www.whitehats.com/info/IDS07 --