• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2335
  • Last Modified:

Snort Rules :ET RBN Known Russian Business Network IP UDP

I know Why Snort is blocking the IP's .
but I am little bit of confused bout Source port and destination port for this attack

have a look bellow 2 log

15        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        39817        ->        53        1:2406475:193        09/06-15:36:05
16       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       1068       ->       53       1:2406473:193       09/06-15:35:54

Here : is our Internal Dns server
and is our Mail server.

in both log is showing , Destination port is 53 and Souce port is our network

to me it like, I am doing an attack to those IP's but snort is blocking those IP .

i just want to get an explanation .. why source port is our and destination port is those Ip .

note : I m not trying to edit or disable rules. here i am trying to understand, how this attack is happening / why source port is mine ?

  • 5
  • 3
1 Solution
they scan for recursive DNS servers. If you do not have one "error" messages are simple background noise.
fosiul01Author Commented:
Hi sorry for late reply

i know its look for recursive dns server.

but what i dont understand why and how its touching my mail server,

look at this log

6       2       UDP        ET RBN Known Russian Business Network IP UDP (237)       Misc  Attack       1068       ->        53       1:2406473:193       09/06-15:35:54 is my mail server

thats bugging me ..

fosiul01Author Commented:
1                        2                        UDP                        ET RBN Known Russian Business Network IP UDP (238)                         Misc Attack                                      41989                        ->                                      53                        1:2406475:193                        09/08-22:46:57                                                2                        2                        UDP                        ET RBN Known Russian Business Network IP UDP (238)                         Misc Attack                                      1068                        ->                                      53                        1:2406475:193                        09/08-22:46:471

So look, same Rusian Ip,

one src ip is my dns server which is
and another one is which is mail server

why src ip is my mail server ?? i am asking for a explanations

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

you ( seem to be in all imaginable spam blacklists....
are you sure your mail server is secured well???
ben je in BE of ben je in LU?
fosiul01Author Commented:
no no this is not my ip  !!!!

snort is blocking ip as its a attack (rusian network)

what made me surprise is :

Why Source port is my server  ??

15        2         UDP        ET RBN Known Russian Business Network IP UDP (238)          Misc Attack        39817        ->        53        1:2406475:193        09/06-15:36:05

16        2       UDP       ET RBN Known Russian Business Network IP UDP  (237)       Misc Attack       1068       ->       53       1:2406473:193       09/06-15:35:54

if you look the above log

in both case ip is the Destination(53) and and  is the src .

thats the thing i trying to understand, why src port is our side

if russion network try to look for recursive dns server, then destination port would be us, and source port would be ,

may be it works this way!! but since i dont know.. need an explanations

you need to see why your DNS tries to access spammer and who of your users tries to do this lookup....
fosiul01Author Commented:
Thats the problem...

[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:37.720272 ->
UDP TTL:64 TOS:0x0 ID:16939 IpLen:20 DgmLen:80
Len: 52
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:42.812235 ->
UDP TTL:128 TOS:0x0 ID:24159 IpLen:20 DgmLen:69
Len: 41
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

Here ( SBS 2003,working as DNS but it has forwarder to )
hence i guess i am seeing both Ips there .

i used pfsense with snort, so pfsense has blocked this anyway .

but question is, why it sending dns query to

its not coming from any user computers ....

fosiul01Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now