Snort mailing list archives

Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Wed, 11 Jul 2001 11:43:39 -0400

On Wed, Jul 11, 2001 at 10:48:15AM -0400, Jeff Ito wrote:


When I experienced this, it was as a result of users inside a nat using an
external DNS server, and the large number of people and queries made the
replies (incremting by port for each user making a dns query) appear as a
portscan.  My solution was to implement a tcpdump rulesfile , ignoring
these hosts on dns ports.


If you set up a DNS server internally and have the people inside point
to that server, all your problems will be solved. Plus, it gives you
some caching advantages as well :-)

Ramin

The question is why you're receiving these portscans from 198.6.1.5.
A DNS server is not supposed to send portscans. My hunch is that
someone is spoofing that IP and launching a portscan to your machine.
If that's the case, you should be happy that snort is detecting them :-)

Ramin

On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:

Hey guys.. how do i stop this message from getting into secure log?

Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status from

198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)

the address is that of a uunet dns server , .. this address is in the
snort.conf file for the portscan ignore .. but it doesn't seem to help:

var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32]

preprocessor portscan-ignorehosts: $DNS_SERVERS

snort has been restarted but still logs these scans.

does the netmask have to be present for this to work ? I am not certain
that this is the netmask of the uunet servers .. how do i find out what
that is?

this is filling up my secure log and causing my email of alerts to crash

thanks 

madhav


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
  - Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
    - Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- <Possible follow-ups>
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
  - RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)