Snort mailing list archives
Re: DNS, portscan, & laptops
From: Brian Caswell <bmc () mitre org>
Date: Mon, 18 Jun 2001 17:36:49 -0400
Andrew Daviel wrote:
A little gotcha - well, as it relates to my reporter script http://andrew.triumf.ca/pub/security/reporter/ The notes say to ignore DNS servers to avoid triggering the portscan plugin. So I ignore the root nameservers, our onsite users use our onsite nameservers, occasional DNS lookups are ignored, and everything is OK. Then someone brings a laptop onsite, forgets to reconfigure the DNS from their home ISP, and does a lot of surfing. Result, 2 automated complaints sent to their ISP (followed by manual "sorry! please ignore."). I since fixed the script to ignore UDP source port 53. Normally, I suppose, you would like to know about someone misconfigured like this, but probably not to panic...
This would be yet another reason for NOT automagicly doing things like automail or autofirewall. You are going to shot yourself in the foot like this. Never never never never do anything but wave big red flags at yourself automagicly. Computers are smart, but computers don't know politics. Heck, people don't know politics. Why should computers know any better? -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Brian Caswell (Jun 18)
- Re: DNS, portscan, & laptops Andrew Daviel (Jun 18)
- Re: DNS, portscan, & laptops Vitaly Osipov (Jun 19)