Re: DNS portscan alerts

[Dushyanth Harinath <dushy () symonds net>]

* Leigh David Heyman <leigh () ai mit edu> [020316 04:56]:
> > I did'nt have this problem when i used to run bind, It used to run on
> > the public interface though.
>
> Of course you didn't if you were running snort on the local interface, and 
> bind on the public interface.  I imagine if you run bind on the local 
> interface you'd get the same effect

No, it doesn't , Running bind on the local LAN interface does'nt cause
any portscans from the dns servers.

> > How can i tell snort to ignore this portscans, I cannot list every DNS
> > server in the portscan-ignorehosts.
>
> will this work?  Defining a network without your DNS server(s)

The DNS server(s) generating the portscans are not mine. Some of them
are ns.apnic.net , etc. So, whenever dnscache is making a query to those
servers, i get a portscan alert.

> var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> then
>
> preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log

This i have already done, i have put my DNS servers into
portscan-ignorehosts and they dont cause any alerts.

TIA
cheers
dushyanth
-- 
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users