Snort mailing list archives
Portscan false positives reg. DNS caching server
From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Wed, 15 May 2002 11:06:32 +0200
Hi all I've got the problem that I'm experiencing a much too high ratio of false positives using preprocessor portscan. I keep getting alerts about supposed portscans to my internal, caching DNS server, which arise because of the sometimes numerous responses when the DNS cache wanders from the roots to the authoritative servers. I've already places the host into the preprocessor portscan-ignorehosts list, but that appears to take only the source of the packets into consideration. I receive DNS replies from the entire Internet, but I might as well deactivate the portscan detection and save some CPU cycles if I was to insert 0/0 to preprocessor portscan-ignorehosts... Any ideas, anyone? I couldn't find anything on Google and in the FAQ (and I'm usually not that bad at RTFMing). Thanks, Tobias -- Tobias Reckhard _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan false positives reg. DNS caching server Reckhard, Tobias (May 15)