Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: probe alerts

From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 03:21:52 +0300
Hi Jim!


Aug  5 18:33:26 clearwater snort[1200]: [1:515:2]  MISC source port 53

to

<1024 [Classification: Potentially Bad Traffic   Priority: 2]:
209.242.137.131:53 -> 192.168.1.2:53

192.168.1.2 is the host running snort and named.


Ok, the DNS_SERVERS variable does not affect this. Make sure variables
EXTERNAL_NET and HOME_NET are configured properly in snort.conf. By
default,
EXTERNAL_NET's value is 'any', which includes *all* IP addresses,
including
the address of this host itself, and this causes false alarms like the
one
you're experiencing. I've configured the varialbes like this:

        var HOME_NET [10.0.0.0/24]
        var EXTERNAL_NET !$HOME_NET

This way EXTERNAL_NET is any address, excluding my home address(es). =)
Just make sure you configure HOME_NET *before* EXTERNAL_NET, otherwise
it won't work.


Also getting a bunch of these logged.
Aug  5 13:45:39 clearwater snort: spp_portscan: portscan status from
192.168.1.2: 1 connections across 1 hosts: TCP(0), UDP(1)
Aug  5 13:45:43 clearwater snort: spp_portscan: portscan status from
192.168.1.2: 1 connections across 1 hosts: TCP(1), UDP(0)
Aug  5 13:45:47 clearwater snort: spp_portscan: portscan status from
192.168.1.2: 2 connections across 2 hosts: TCP(0), UDP(2)
Aug  5 13:45:52 clearwater snort: spp_portscan: End of portscan from
192.168.1.2

In regard to nameservers var
I've tried this:
var DNS_SERVERS $HOME_NET
and
var DNS_SERVERS 192.168.1.2/32,192.168.1.200/32
(there is another NS on my local subnet)


Correct format for DNS_SERVERS is this:

        var DNS_SERVERS [192.168.1.2/32,192.168.1.200/32]

You have to have the bracets there. Also make sure you have the
following
line uncommented:

        preprocessor portscan-ignorehosts: $DNS_SERVERS

I've stopped using the portscan preprocessor as it was giving too many
false alarms. If you're using Snort version 1.8 (and you should! ;),
you can use the stream4 preprocessor to detect portscans.

Hope this helps you!

Yours,

Jyri

Information Security Specialist
Tel: +358-41-448 3238
E-mail: jyri.hovila () iki fi

Certifications:
http://www.brainbench.com/transcript.jsp?pid=2301241
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: