Snort mailing list archives
RE: Arghh...how do I stop it doing this!!
From: "Robert D. Hughes" <rob () robhughes com>
Date: Mon, 7 May 2001 18:06:12 -0500
I've got the same issue. I didn't start having this problem until I put a caching DNS server on the gateway and locked it at port 53. I'm considering removing that to see if it goes away. Rob -----Original Message----- From: Dave Fitches [mailto:sticks.au () bigfoot com] Sent: Thursday, May 03, 2001 11:14 AM Cc: Snort-Users@Lists. Sourceforge. Net Subject: RE: [Snort-users] Arghh...how do I stop it doing this!! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That would work, but it's NOT my DNS servers that it's seeing, it's the REPLIES from OTHER DNS servers that get queried..... var DNS_SERVERS [203.164.20.147/32,203.164.20.148/32] preprocessor portscan-ignorehosts: $DNS_SERVERS That is in my snort.conf, but still I see these damn port 53 queries whenever I surf the web! - - = Dave Fitches = ________________________________________________________ ,--__|\ David Fitches / \ * ICQ : 2120090 * SATCO CID : 955589 \_,--\__/ * Mobile : +61-419-466-744 v * E-mail : sticks.au () bigfoot com Melbourne, Victoria, Australia Web: http://www.bigfoot.com/~sticks.au/ _______________________________________________________ Please Note: Unless this e-mail has been sent as PRIVATE, PERSONAL or CONFIDENTIAL, the receiver may forward copies of it on the condition that they send an advisory message to the original sender. If however the message has been marked PRIVATE, PERSONAL or CONFIDENTIAL prior consent MUST be obtained before the message can be forwarded. - -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ed Greshko Sent: Friday, 4 May 2001 01:47 To: sticks.au () bigfoot com Cc: Snort-Users@Lists. Sourceforge. Net Subject: RE: [Snort-users] Arghh...how do I stop it doing this!! - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= [**] MISC source port 53 to <1023 [**] 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53 UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF [**] MISC source port 53 to <1023 [**] 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53 UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF [...etc...] Damn thing seems to read every DNS query _I_ do as a bloody alert notable event!! ARRGHH!!!
Read the documentation? :-) :-) Part of the snort.conf has.... # Define the addresses of DNS servers and other hosts # if you want to ignore portscan false alarms from them... Do that and things magically get better. I know, I did the same thing earlier today. :-) Ed - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOvF9YyvPyVlLXt2/EQJJFACg3pU8ep3MGCVwtPbFoz6STdF41RMAoILr qoDVIyeqdvrRGC7fTfofbtZe =AbdR - -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOvGD3wUhkO6Zt2EDEQIx0ACdG07AfSeFuewOZ05T0YqVT5+K5CwAoPUp LW2fPnWB6BFz4CuFAz7jAT8a =4Qn5 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Arghh...how do I stop it doing this!! Dave Fitches (May 03)
- RE: Arghh...how do I stop it doing this!! Ed Greshko (May 03)
- RE: Arghh...how do I stop it doing this!! Dave Fitches (May 03)
- Re: Arghh...how do I stop it doing this!! Brian Caswell (May 03)
- <Possible follow-ups>
- RE: Arghh...how do I stop it doing this!! Neil Dickey (May 03)
- RE: Arghh...how do I stop it doing this!! Robert D. Hughes (May 07)
- RE: Arghh...how do I stop it doing this!! Ed Greshko (May 03)