Snort mailing list archives
Re: Not ignoring DNS servers
From: Italo Antonio <imigotto () proteus com br>
Date: Thu, 06 Sep 2001 15:26:04 -0400
This way you are just ignoring portscans on the dns-servers. These are alerts from icmp-info.rules, if you want to ignore them you have to write pass rules, or just comment out this rule from your icmp-info.rules. Snort FAQ: 3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I ignore traffic coming from a particular host or hosts? A: Write pass rules and add the host(s) to the portscan-ignorehosts list. Call Snort with the -o option to activate the pass rules. See http://www.snort.org/writing_snort_rules.htm for more information. Italo. Paul Slinski wrote:
I have snort set up the following way in snort.conf (snort rules from snort site): var DNS_SERVERS [206.191.0.140/32,206.191.0.210/32] and preprocessor portscan-ignorehosts: $DNS_SERVERS Yet snort still reports: [**] [1:0:0] ICMP Destination Unreachable (Port Unreachable) [**] 09/06-00:02:01.200180 206.191.19.2 -> 206.191.0.210 ICMP TTL:255 TOS:0xC0 ID:51451 IpLen:20 DgmLen:141 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 206.191.0.210:53 -> 206.191.19.2:4611 UDP TTL:253 TOS:0x0 ID:13975 IpLen:20 DgmLen:113 Len: 93 ** END OF DUMP Any ideas? -Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Not ignoring DNS servers Paul Slinski (Sep 06)
- RE: Not ignoring DNS servers Snoopy (Sep 06)
- RE: Not ignoring DNS servers Paul Slinski (Sep 06)
- Re: Not ignoring DNS servers Italo Antonio (Sep 06)
- <Possible follow-ups>
- RE: Not ignoring DNS servers Paul Slinski (Sep 06)
- RE: Not ignoring DNS servers Snoopy (Sep 06)