Snort mailing list archives
Re: DNS portscan alerts
From: Dushyanth Harinath <dushy () symonds net>
Date: Sat, 16 Mar 2002 10:56:58 +0530
* Leigh David Heyman <leigh () ai mit edu> [020316 04:56]:
I did'nt have this problem when i used to run bind, It used to run on the public interface though.Of course you didn't if you were running snort on the local interface, and bind on the public interface. I imagine if you run bind on the local interface you'd get the same effect
No, it doesn't , Running bind on the local LAN interface does'nt cause any portscans from the dns servers.
How can i tell snort to ignore this portscans, I cannot list every DNS server in the portscan-ignorehosts.will this work? Defining a network without your DNS server(s)
The DNS server(s) generating the portscans are not mine. Some of them are ns.apnic.net , etc. So, whenever dnscache is making a query to those servers, i get a portscan alert.
var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32] then preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
This i have already done, i have put my DNS servers into portscan-ignorehosts and they dont cause any alerts. TIA cheers dushyanth -- How about some patent | Dushyanth Harinath on "(a+b)2 == a2+2ab+b2" | Archean Infotech ... choose free software! | http://www.archeanit.com --some Usenet siggy | http://symonds.net/~dushy _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS portscan alerts Dushyanth Harinath (Mar 14)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 19)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)