Snort mailing list archives
Re: Portscan preprocessor catching DNS replies
From: Jörgen Persson <jpn () tlth lth se>
Date: Thu, 16 Aug 2001 01:17:05 +0200
On Thu, Aug 16, 2001 at 12:04:55AM +0200, Jörgen Persson wrote:
On Wed, Aug 15, 2001 at 11:31:13PM +0200, Andreas Östling wrote:On Wed, 15 Aug 2001, Jörgen Persson wrote:I used to have the same problem and I couldn't find a way to solve it with ''portscan-ignorehosts''. There might be a way to solve it with a snort rule but I made an ugly bpf hack. % cat /etc/snort/bpf.rules not udp src port domain % snort -F /etc/snort/bpf.rulesThis filter is IMO not very good since it ignores too much. The problem is that all traffic coming from port 53 doesn't have to be DNS-related. You probably don't want to miss when someone executes a bunch of ntpd exploits against you using 53 as source port, for example.[snip] No... that filter isn't good but it's a compromise that works. I'm relatively new to Snort and all ideas are appreciated. The problem occours when there's DNS server traffic within Snort's reach. Your DNS server will query other servers recursively and that's why you can't specify them.
Let us forget about my ugly bpf hack... does this pass rule (in conjunction with the -o option) look better: pass udp any 53 -> $HOME_NET 1024:65535 This is my first Snort rule, feel free to laugh :) Jörgen _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: Portscan preprocessor catching DNS replies root (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)