[Snort-users] Re: Stateful portscan detection anybody?

James Hoagland hoagland at ...47...
Thu Aug 31 11:36:45 EDT 2000


At 12:12 AM -0700 8/31/00, John Pettitt wrote:
>I'm monitoring the "red" net outside my firewall and it's the DNS 
>query traffic from my firewall to servers all over the net that is 
>causing the problems.

On way to get rid of the false positive scans from the queries then 
is to put your firewall on the ignore list.  You may not what to do 
that though.

If the problem is the replies you would put the DNS servers on that list.

>I've started looking at the source - one issue I see is that 
>connections are expired and removed from the linked lists on a time 
>basis - this will generate a race condition where the outbound DNS 
>query could be removed and the so the reply won't be matched. 
>Clearly adding DNS statefulness is not going to be trivial.
>
>I seems to be only DNS that has this issue - I suspect because it's 
>the only common service that uses UDP.

Nope.  Lots of network games (e.g., half-life) use UDP.

Hope this helps,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 826-7571  *|



More information about the Snort-users mailing list