Snort mailing list archives
DNS, portscan, & laptops
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Mon, 18 Jun 2001 09:40:41 -0700 (PDT)
A little gotcha - well, as it relates to my reporter script http://andrew.triumf.ca/pub/security/reporter/ The notes say to ignore DNS servers to avoid triggering the portscan plugin. So I ignore the root nameservers, our onsite users use our onsite nameservers, occasional DNS lookups are ignored, and everything is OK. Then someone brings a laptop onsite, forgets to reconfigure the DNS from their home ISP, and does a lot of surfing. Result, 2 automated complaints sent to their ISP (followed by manual "sorry! please ignore."). I since fixed the script to ignore UDP source port 53. Normally, I suppose, you would like to know about someone misconfigured like this, but probably not to panic... -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Brian Caswell (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Vitaly Osipov (Jun 19)