Re: DNS portscan alerts

[Leigh David Heyman <leigh () ai mit edu>]

> I did'nt have this problem when i used to run bind, It used to run on
> the public interface though.

Of course you didn't if you were running snort on the local interface, and 
bind on the public interface.  I imagine if you run bind on the local 
interface you'd get the same effect

> How can i tell snort to ignore this portscans, I cannot list every DNS
> server in the portscan-ignorehosts.

will this work?  Defining a network without your DNS server(s)

var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]

then

preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log

-Leigh


-----------------------------
The difference between the right word and the almost right word is the
difference between lightning and the lightning bug.
                -- Mark Twain



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users