Re: Portscan preprocessor catching DNS replies

[Jörgen Persson <jpn () tlth lth se>]

On Thu, Aug 16, 2001 at 12:04:55AM +0200, Jörgen Persson wrote:
> On Wed, Aug 15, 2001 at 11:31:13PM +0200, Andreas Östling wrote:
> > On Wed, 15 Aug 2001, Jörgen Persson wrote:
> > > I used to have the same problem and I couldn't find a way to solve it
> > > with ''portscan-ignorehosts''. There might be a way to solve it with a
> > > snort rule but I made an ugly bpf hack.
> > >
> > > % cat /etc/snort/bpf.rules
> > > not udp src port domain
> > > % snort -F /etc/snort/bpf.rules
> >
> > This filter is IMO not very good since it ignores too much.
> > The problem is that all traffic coming from port 53
> > doesn't have to be DNS-related. You probably don't want to miss when
> > someone executes a bunch of ntpd exploits against you using 53 as source
> > port, for example.
> [snip]
>
> No... that filter isn't good but it's a compromise that works. I'm
> relatively new to Snort and all ideas are appreciated.
>
> The problem occours when there's DNS server traffic within Snort's
> reach. Your DNS server will query other servers recursively and that's
> why you can't specify them.


Let us forget about my ugly bpf hack... does this pass rule (in
conjunction with the -o option) look better:

pass udp any 53 -> $HOME_NET 1024:65535

This is my first Snort rule, feel free to laugh :)

Jörgen

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users