Snort mailing list archives

Re: HELP!

From: Guillaume <guillaume () anteria fr>
Date: Fri, 09 Nov 2001 17:43:51 +0100 (CET)

En réponse à Noah Silverman <noah () webclipping com>:

I've set up snort on our network, but I can't seem to keep it from
logging
alerts from our DNS machines.



Did you set the DNS_SERVERS variable in your snort configuration file ?

<extract from snort.conf>
Define the addresses of DNS servers and other hosts
if you want to ignore portscan false alarms from them...
var DNS_SERVERS ...
</extract>

<other extract from snort.conf>
Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from specific
networks or hosts to reduce false alerts. It is typical to see many false alerts
from DNS servers so you may want to add your DNS servers here. You can add
multiple hosts/networks in a whitespace-delimited list
preprocessor portscan-ignorehosts: $DNS_SERVERS
</other extract>


Guillaume.



-------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HELP! Noah Silverman (Nov 09)
- Re: HELP! Guillaume (Nov 09)
  - Re: HELP! Noah Silverman (Nov 09)
    - Re: HELP! Erek Adams (Nov 09)
- <Possible follow-ups>
- Re: HELP! Susan Kay Coulter (Nov 09)