Snort Rules :ET RBN Known Russian Business Network IP UDP
Posted on 2010-09-06
I know Why Snort is blocking the IP's .
but I am little bit of confused bout Source port and destination port for this attack
have a look bellow 2 log
15 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 39817 -> 188.8.131.52 53 1:2406475:193 09/06-15:36:05
16 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 184.108.40.206 53 1:2406473:193 09/06-15:35:54
Here : 192.168.1.67 is our Internal Dns server
and 192.168.1.7 is our Mail server.
in both log is showing , Destination port is 53 and Souce port is our network
to me it like, I am doing an attack to those IP's but snort is blocking those IP .
i just want to get an explanation .. why source port is our and destination port is those Ip .
note : I m not trying to edit or disable rules. here i am trying to understand, how this attack is happening / why source port is mine ?