[Snort-users] Re: Stateful portscan detection anybody?
jpp at ...230...
Thu Aug 31 03:12:11 EDT 2000
At 09:48 PM 08/30/2000, Vitaly McLain wrote:
>I am in a real hurry so I could have missed something about your message,
>but it seems to me you just need to add the IPs of your DNS servers to the:
>line of the rules file.
>twistah at ...93...
I'm monitoring the "red" net outside my firewall and it's the DNS query
traffic from my firewall to servers all over the net that is causing the
I've started looking at the source - one issue I see is that connections
are expired and removed from the linked lists on a time basis - this will
generate a race condition where the outbound DNS query could be removed and
the so the reply won't be matched. Clearly adding DNS statefulness is
not going to be trivial.
I seems to be only DNS that has this issue - I suspect because it's the
only common service that uses UDP.
More when I get through reading the source.
John Pettitt Email: jpp at ...230...
"Attention spam" - The length of time it takes you to realize an email
isn't worth reading.
PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45 644A A744 54C4 7886 3658
More information about the Snort-users