Snort mailing list archives
Re: HELP!
From: Guillaume <guillaume () anteria fr>
Date: Fri, 09 Nov 2001 17:43:51 +0100 (CET)
En réponse à Noah Silverman <noah () webclipping com>:
I've set up snort on our network, but I can't seem to keep it from logging alerts from our DNS machines.
Did you set the DNS_SERVERS variable in your snort configuration file ? <extract from snort.conf> Define the addresses of DNS servers and other hosts if you want to ignore portscan false alarms from them... var DNS_SERVERS ... </extract> <other extract from snort.conf> Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from specific networks or hosts to reduce false alerts. It is typical to see many false alerts from DNS servers so you may want to add your DNS servers here. You can add multiple hosts/networks in a whitespace-delimited list preprocessor portscan-ignorehosts: $DNS_SERVERS </other extract> Guillaume. ------------------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users