Snort mailing list archives
Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash
From: Jeff Ito <jeffi () rcn com>
Date: Wed, 11 Jul 2001 10:48:15 -0400 (EDT)
When I experienced this, it was as a result of users inside a nat using an external DNS server, and the large number of people and queries made the replies (incremting by port for each user making a dns query) appear as a portscan. My solution was to implement a tcpdump rulesfile , ignoring these hosts on dns ports.
The question is why you're receiving these portscans from 198.6.1.5. A DNS server is not supposed to send portscans. My hunch is that someone is spoofing that IP and launching a portscan to your machine. If that's the case, you should be happy that snort is detecting them :-) Ramin On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:Hey guys.. how do i stop this message from getting into secure log?Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status from198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1) the address is that of a uunet dns server , .. this address is in the snort.conf file for the portscan ignore .. but it doesn't seem to help: var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32] preprocessor portscan-ignorehosts: $DNS_SERVERS snort has been restarted but still logs these scans. does the netmask have to be present for this to work ? I am not certain that this is the netmask of the uunet servers .. how do i find out what that is? this is filling up my secure log and causing my email of alerts to crash thanks madhav_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- <Possible follow-ups>
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)