Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS portscan alerts

From: Dushyanth Harinath <dushy () symonds net>
Date: Tue, 19 Mar 2002 10:57:37 +0530
* Leigh David Heyman <leigh () ai mit edu> [020319 04:15]:




Oh, Sorry , my mistake , but the alerts are from many nameservers, not
from a particular one and listing them all is not possible.



True, but are the scans TO several systems or just one or a few... while 
clearly you can't ignore all the external nameservers which are "scanning" 
you, can you possibly exclude your "internal" systems which are being 
"scanned" from the group of systems which spp_portscan is watching aver, or 
would that simply mean your entire network, and thus disabling spp_portscan 
altogether?


No , I cant do that because its my public interface. 

Lete me explain you better.

                             --------
                             |Router|
                             --------
                               |
                               | eth0 (xxx.xxx.xxx.xxx) public IP
                            ----------
                            | server | 
                            |        |
                             ---------
                               | eth1 (192.168.0.1) Local Lan IP
                               | Snort and dnscache 
                  ---------------------------
                  |     |    |    |     |   |
                    
                    client machines on lan


Whenever the dnscache running on (192.168.0.1)  queries an external dns
it results in a portscan alert with source from the external dns with dest
as my public interface on the server.

Some of the logs again.

Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP  
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP  
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP  


So, i cant ignore the portscan traffic to the public interface.

Hope i have explained clearly now :)
cheers
dushyanth
-- 
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: