Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False positives with UDP Portscan PROTO255

From: Rich Adamson <radamson () routers com>
Date: Sat, 5 Mar 2005 18:09:35 -0600
Mike Lieberman wrote:

I have doubts about some of the messages I am getting from Snort (using 
rules for 2.3). For instance the following portscan message is from 
ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server 
traffic labeled as port scans. In the case below, unless Sprint’s 
primary name server ( as well as many others from [have]) has been 
compromised, these ‘portscans’ would actually have to be something 
related to BIND.


Any significant number of DNS queries within a short time (depending on 
your portscan settings) will do this because the traffic is 
connectionless.  Although you and I know these are query/response, the 
generic portscan preprocessor doesn't.


I think what he's observing is a overly sensitive portscan detector.
I've noticed the same thing with lots of other port numbers, and not
just dns. For all practical purposes, we've had to disable the detector
as it generates far too much noise.





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: