[Snort-users] Re: Stateful portscan detection anybody?

John Pettitt jpp at ...230...
Thu Aug 31 03:12:11 EDT 2000


At 09:48 PM 08/30/2000, Vitaly McLain wrote:
>Hi,
>
>I am in a real hurry so I could have missed something about your message,
>but it seems to me you just need to add the IPs of your DNS servers to the:
>preprocessor portscan-ignorehosts:
>line of the rules file.
>
>Vitaly McLain
>twistah at ...93...
>

I'm monitoring the "red" net outside my firewall and it's the DNS query 
traffic from my firewall to servers all over the net that is causing the 
problems.

I've started looking at the source - one issue I see is that connections 
are expired and removed from the linked lists on a time basis - this will 
generate a race condition where the outbound DNS query could be removed and 
the so the reply won't be matched.    Clearly adding DNS statefulness is 
not going to be trivial.

I seems to be only DNS that has this issue - I suspect because it's the 
only common service that uses UDP.

More when I get through reading the source.

John Pettitt                                     Email: jpp at ...230...

"Attention spam" - The length of time it takes you to realize an email 
isn't worth reading.

PGP keys on MIT & pgp.com servers.
Fingerprint: 81B5 446D 3E0E 1CDE 5A45  644A A744 54C4 7886 3658




More information about the Snort-users mailing list