Re: Portscan preprocessor catching DNS replies

[Andreas Östling <andreaso () it su se>]

On Wed, 15 Aug 2001, Jörgen Persson wrote:
> I used to have the same problem and I couldn't find a way to solve it
> with ''portscan-ignorehosts''. There might be a way to solve it with a
> snort rule but I made an ugly bpf hack.
>
> % cat /etc/snort/bpf.rules
> not udp src port domain
> % snort -F /etc/snort/bpf.rules

This filter is IMO not very good since it ignores too much.
The problem is that all traffic coming from port 53
doesn't have to be DNS-related. You probably don't want to miss when
someone executes a bunch of ntpd exploits against you using 53 as source
port, for example.

If the problem is the portscan preprocessor, portscan-ignorehosts is the
place to add the host. If the problem is a rule, it's better to write a
specific pass rule, or perhaps use a more specific bpf filter for the
particular hosts/ports you want to ignore.

Regards,
Andreas Östling


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users