Re: Portscan preprocessor catching DNS replies

[Jörgen Persson <jpn () tlth lth se>]

On Wed, Aug 15, 2001 at 11:31:13PM +0200, Andreas Östling wrote:
> On Wed, 15 Aug 2001, Jörgen Persson wrote:
> > I used to have the same problem and I couldn't find a way to solve it
> > with ''portscan-ignorehosts''. There might be a way to solve it with a
> > snort rule but I made an ugly bpf hack.
> >
> > % cat /etc/snort/bpf.rules
> > not udp src port domain
> > % snort -F /etc/snort/bpf.rules
>
> This filter is IMO not very good since it ignores too much.
> The problem is that all traffic coming from port 53
> doesn't have to be DNS-related. You probably don't want to miss when
> someone executes a bunch of ntpd exploits against you using 53 as source
> port, for example.
[snip]

No... that filter isn't good but it's a compromise that works. I'm
relatively new to Snort and all ideas are appreciated.

The problem occours when there's DNS server traffic within Snort's
reach. Your DNS server will query other servers recursively and that's
why you can't specify them.

Is there a way to specify ranges with BPF? Like:
not udp src port domain and not udp dst port 1024-

Jörgen

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users