Snort mailing list archives
Re: False positives with UDP Portscan PROTO255
From: Rich Adamson <radamson () routers com>
Date: Sat, 5 Mar 2005 18:09:35 -0600
Mike Lieberman wrote:I have doubts about some of the messages I am getting from Snort (using rules for 2.3). For instance the following portscan message is from ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server traffic labeled as port scans. In the case below, unless Sprints primary name server ( as well as many others from [have]) has been compromised, these portscans would actually have to be something related to BIND.Any significant number of DNS queries within a short time (depending on your portscan settings) will do this because the traffic is connectionless. Although you and I know these are query/response, the generic portscan preprocessor doesn't.
I think what he's observing is a overly sensitive portscan detector. I've noticed the same thing with lots of other port numbers, and not just dns. For all practical purposes, we've had to disable the detector as it generates far too much noise. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Orit Vidas (Mar 08)
- Re: False positives with UDP Portscan PROTO255 Jeremy Hewlett (Mar 09)
- Re: False positives with UDP Portscan PROTO255 Rich Adamson (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)