Snort mailing list archives
Re: Portscan preprocessor catching DNS replies
From: Neil Dickey <neil () geol niu edu>
Date: Wed, 15 Aug 2001 14:53:37 -0500 (CDT)
Mathieu Nantel <nantel () ecopiabio com> wrote asking:
My problem resides in the fact that Snort's portscan module is catching DNS query replies ( any port 53 -> my_servers port gt 1024). This generates a great deal of false positives and I am wondering if there is a way to configure the portscan preprocessor so that it ignores it.
[ ... ]
Is there a way to deal with this?
Yes, use the "preprocessor portscan-ignorehosts:" directive. Here's the syntax: preprocessor portscan-ignorehosts: [11.222.33.0/24,444.5.666.7,8.99.0.0/16] Put it in your snort.config file just below the portscan preprocessor line, and it should fix your problem. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: Portscan preprocessor catching DNS replies root (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)