Snort mailing list archives
Re: DNS portscan alerts
From: Dushyanth Harinath <dushy () symonds net>
Date: Tue, 19 Mar 2002 10:57:37 +0530
* Leigh David Heyman <leigh () ai mit edu> [020319 04:15]:
Oh, Sorry , my mistake , but the alerts are from many nameservers, not from a particular one and listing them all is not possible.True, but are the scans TO several systems or just one or a few... while clearly you can't ignore all the external nameservers which are "scanning" you, can you possibly exclude your "internal" systems which are being "scanned" from the group of systems which spp_portscan is watching aver, or would that simply mean your entire network, and thus disabling spp_portscan altogether?
No , I cant do that because its my public interface. Lete me explain you better. -------- |Router| -------- | | eth0 (xxx.xxx.xxx.xxx) public IP ---------- | server | | | --------- | eth1 (192.168.0.1) Local Lan IP | Snort and dnscache --------------------------- | | | | | | client machines on lan Whenever the dnscache running on (192.168.0.1) queries an external dns it results in a portscan alert with source from the external dns with dest as my public interface on the server. Some of the logs again. Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP So, i cant ignore the portscan traffic to the public interface. Hope i have explained clearly now :) cheers dushyanth -- How about some patent | Dushyanth Harinath on "(a+b)2 == a2+2ab+b2" | Archean Infotech ... choose free software! | http://www.archeanit.com --some Usenet siggy | http://symonds.net/~dushy _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS portscan alerts Dushyanth Harinath (Mar 14)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 19)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)