Portscan false positives reg. DNS caching server

["Reckhard, Tobias" <tobias.reckhard () secunet com>]

Hi all

I've got the problem that I'm experiencing a much too high ratio of false
positives using preprocessor portscan. I keep getting alerts about supposed
portscans to my internal, caching DNS server, which arise because of the
sometimes numerous responses when the DNS cache wanders from the roots to
the authoritative servers. I've already places the host into the
preprocessor portscan-ignorehosts list, but that appears to take only the
source of the packets into consideration. I receive DNS replies from the
entire Internet, but I might as well deactivate the portscan detection and
save some CPU cycles if I was to insert 0/0 to preprocessor
portscan-ignorehosts...

Any ideas, anyone? I couldn't find anything on Google and in the FAQ (and
I'm usually not that bad at RTFMing).

Thanks,
Tobias
-- 
Tobias Reckhard

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users