RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash

["Madhav Diwan" <mdiwan () wagweb com>]

interesting , thanks Jeff : this seems to be the way to go...

can you send me some specifics on how you installed that tcpdump  rule
set?

Is there any other way to do this? and why doesnt the ignore portscan
hosts preprocessor work in this scenario?

         i dont really want to have to use tcpdump files if i dont have
to: i have plenty of space on the drives and it would screw up the mail
alert script that i have built.

-----Original Message-----
From: Jeff Ito [mailto:jeffi () rcn com]
Sent: Wednesday, July 11, 2001 10:48 AM
To: Ramin Alidousti
Cc: Madhav Diwan; snort-users () lists sourceforge net
Subject: Re: [Snort-users] UUnet dns server portscans filling up log..
causing email of real alerts to crash



When I experienced this, it was as a result of users inside a nat using
an
external DNS server, and the large number of people and queries made the
replies (incremting by port for each user making a dns query) appear as
a
portscan.  My solution was to implement a tcpdump rulesfile , ignoring
these hosts on dns ports.

> The question is why you're receiving these portscans from 198.6.1.5.
> A DNS server is not supposed to send portscans. My hunch is that
> someone is spoofing that IP and launching a portscan to your machine.
> If that's the case, you should be happy that snort is detecting them
:-)
> Ramin
>
> On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:
>
> > Hey guys.. how do i stop this message from getting into secure log?
> >
> > > Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status
from
> > 198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)
> >
> > the address is that of a uunet dns server , .. this address is in
the
> > snort.conf file for the portscan ignore .. but it doesn't seem to
help:
> > var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32]
> >
> > preprocessor portscan-ignorehosts: $DNS_SERVERS
> >
> > snort has been restarted but still logs these scans.
> >
> > does the netmask have to be present for this to work ? I am not
certain
> > that this is the netmask of the uunet servers .. how do i find out
what
> > that is?
> >
> > this is filling up my secure log and causing my email of alerts to
crash
> > thanks 
> >
> > madhav
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users