Snort mailing list archives
Re: HELP!
From: Noah Silverman <noah () webclipping com>
Date: Fri, 09 Nov 2001 14:05:47 -0500
Guillaume. I tried this, It DOES stop the portscan report, BUT I still get logging from my DNS IP and entries in the alert log file. I am also getting entries from the IP of my machine. I DO have my home IP set correctly. Help?? -N On 11/9/01 11:43 AM, "Guillaume" <guillaume () anteria fr> wrote:
En réponse à Noah Silverman <noah () webclipping com>:I've set up snort on our network, but I can't seem to keep it from logging alerts from our DNS machines.Did you set the DNS_SERVERS variable in your snort configuration file ? <extract from snort.conf> Define the addresses of DNS servers and other hosts if you want to ignore portscan false alarms from them... var DNS_SERVERS ... </extract> <other extract from snort.conf> Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from specific networks or hosts to reduce false alerts. It is typical to see many false alerts from DNS servers so you may want to add your DNS servers here. You can add multiple hosts/networks in a whitespace-delimited list preprocessor portscan-ignorehosts: $DNS_SERVERS </other extract> Guillaume.
---------------------------------------------------------------------------- --> -
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users