Snort mailing list archives
RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash
From: "Madhav Diwan" <mdiwan () wagweb com>
Date: Wed, 11 Jul 2001 11:21:32 -0400
interesting , thanks Jeff : this seems to be the way to go... can you send me some specifics on how you installed that tcpdump rule set? Is there any other way to do this? and why doesnt the ignore portscan hosts preprocessor work in this scenario? i dont really want to have to use tcpdump files if i dont have to: i have plenty of space on the drives and it would screw up the mail alert script that i have built. -----Original Message----- From: Jeff Ito [mailto:jeffi () rcn com] Sent: Wednesday, July 11, 2001 10:48 AM To: Ramin Alidousti Cc: Madhav Diwan; snort-users () lists sourceforge net Subject: Re: [Snort-users] UUnet dns server portscans filling up log.. causing email of real alerts to crash When I experienced this, it was as a result of users inside a nat using an external DNS server, and the large number of people and queries made the replies (incremting by port for each user making a dns query) appear as a portscan. My solution was to implement a tcpdump rulesfile , ignoring these hosts on dns ports.
The question is why you're receiving these portscans from 198.6.1.5. A DNS server is not supposed to send portscans. My hunch is that someone is spoofing that IP and launching a portscan to your machine. If that's the case, you should be happy that snort is detecting them
:-)
Ramin On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:Hey guys.. how do i stop this message from getting into secure log?Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status
from
198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1) the address is that of a uunet dns server , .. this address is in
the
snort.conf file for the portscan ignore .. but it doesn't seem to
help:
var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32] preprocessor portscan-ignorehosts: $DNS_SERVERS snort has been restarted but still logs these scans. does the netmask have to be present for this to work ? I am not
certain
that this is the netmask of the uunet servers .. how do i find out
what
that is? this is filling up my secure log and causing my email of alerts to
crash
thanks madhav_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Wagner Weber & Williams _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- <Possible follow-ups>
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)