Snort mailing list archives
RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash
From: Jeff Ito <jeffi () rcn com>
Date: Wed, 11 Jul 2001 12:17:27 -0400 (EDT)
This is how I solved my problem: use the -F option in snort for "BPF" rules (i use "bpf.rules") my bpf.rules rules file reads not 'src host x.x.x.x and port 53' where x.x.x.x is of course the ip of the dns server I really dont know why the ignore preprocessor doesnt work, but this is the approach I took for what seems to be the exact same problem... Jeff
interesting , thanks Jeff : this seems to be the way to go... can you send me some specifics on how you installed that tcpdump rule set? Is there any other way to do this? and why doesnt the ignore portscan hosts preprocessor work in this scenario? i dont really want to have to use tcpdump files if i dont have to: i have plenty of space on the drives and it would screw up the mail alert script that i have built.
*snip - apparent port scan from external DNS server* _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- <Possible follow-ups>
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)