Snort mailing list archives

Re: Portscan preprocessor catching DNS replies

From: Neil Dickey <neil () geol niu edu>
Date: Wed, 15 Aug 2001 14:53:37 -0500 (CDT)


Mathieu Nantel <nantel () ecopiabio com> wrote asking:

My problem resides in the fact that Snort's portscan module is catching
DNS query replies ( any port 53 -> my_servers port gt 1024). This
generates a great deal of false positives and I am wondering if there is
a way to configure the portscan preprocessor so that it ignores it.

[ ... ]

Is there a way to deal with this?


Yes, use the "preprocessor portscan-ignorehosts:" directive.  Here's the
syntax:

  preprocessor portscan-ignorehosts: [11.222.33.0/24,444.5.666.7,8.99.0.0/16]

Put it in your snort.config file just below the portscan preprocessor line,
and it should fix your problem.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
  - Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
    - Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
    - Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
  - Message not available
    - Message not available
    - Message not available
    - Re: Portscan preprocessor catching DNS replies root (Aug 16)
    - Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)