RE: Arghh...how do I stop it doing this!!

["Robert D. Hughes" <rob () robhughes com>]

I've got the same issue. I didn't start having this problem until I put a
caching DNS server on the gateway and locked it at port 53. I'm considering
removing that to see if it goes away.

Rob

-----Original Message-----
From: Dave Fitches [mailto:sticks.au () bigfoot com]
Sent: Thursday, May 03, 2001 11:14 AM
Cc: Snort-Users@Lists. Sourceforge. Net
Subject: RE: [Snort-users] Arghh...how do I stop it doing this!!



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That would work, but it's NOT my DNS servers that it's seeing, it's the
REPLIES from OTHER DNS servers that get queried.....

var DNS_SERVERS [203.164.20.147/32,203.164.20.148/32]
preprocessor portscan-ignorehosts: $DNS_SERVERS

That is in my snort.conf, but still I see these damn port 53 queries
whenever I surf the web!


- -

    = Dave Fitches =

________________________________________________________
 ,--__|\    David Fitches
/       \   * ICQ : 2120090   * SATCO CID : 955589
\_,--\__/   * Mobile : +61-419-466-744
       v    * E-mail : sticks.au () bigfoot com
               Melbourne, Victoria, Australia
               Web: http://www.bigfoot.com/~sticks.au/
_______________________________________________________
Please Note: Unless this e-mail has been sent as PRIVATE, PERSONAL or
CONFIDENTIAL, the receiver may forward copies of it on the condition  that
they send an advisory message to the original sender.
If however the message has been marked PRIVATE, PERSONAL or CONFIDENTIAL
prior consent MUST be obtained before the message can be forwarded.

- -----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ed Greshko
Sent: Friday, 4 May 2001 01:47
To: sticks.au () bigfoot com
Cc: Snort-Users@Lists. Sourceforge. Net
Subject: RE: [Snort-users] Arghh...how do I stop it doing this!!



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF
>
> [...etc...]
>
> Damn thing seems to read every DNS query _I_ do as a bloody alert
> notable event!!
> ARRGHH!!!

Read the documentation?  :-) :-)

Part of the snort.conf has....

# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...

Do that and things magically get better.

I know, I did the same thing earlier today.  :-)

Ed

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOvF9YyvPyVlLXt2/EQJJFACg3pU8ep3MGCVwtPbFoz6STdF41RMAoILr
qoDVIyeqdvrRGC7fTfofbtZe
=AbdR
- -----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOvGD3wUhkO6Zt2EDEQIx0ACdG07AfSeFuewOZ05T0YqVT5+K5CwAoPUp
LW2fPnWB6BFz4CuFAz7jAT8a
=4Qn5
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users