[Snort-users] Rule Config Question

Dr SuSE drsuse at ...748...
Wed Jan 10 11:57:30 EST 2001


EXTERNAL_NET should be set to any or !$HOME_NET will work also.

Double check that the #preprocessor portscan-ignorehosts: $DNS_SERVERS
line is uncommented.

> I have snort installed on 4.0 Free BSD box, I am assuming that my problem is
> related to a misconfiguration in my rule file, but I am little lost.
> 
> When I port scan (nmap) local host on the box that has snort installed, it
> logs the port scan attempt as coming from my ISP's DNS server instead of the
> IP addy of the machine I am on.
> 
> In the rule file I have the Home network var set to the ip of the network
> interface on the box, I was not sure what the External var should be set to,
> so I set it to the same value (local machines ip addy). What exactly is the
> External Var supposed to be?
> 
> Details:
> 
> rule file has-
> var HOME_NET x.x.x.231/32
> var EXTERNAL_NET x.x.x.231/32
> 
> Alert log, from running an "nmap localhost" on the snort box reports:
> 
> [**] spp_portscan: PORTSCAN DETECTED from x.x.x.22 (THRESHOLD 3 connections
> exceeded in 1 seconds) [**]
> 01/10-17:51:52.513852
> 
> The 22 address is the my ISP's DNS Server, how the heck does this happen?
> 
> Thanks in Advance
> 
> Ken Caruso
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/






More information about the Snort-users mailing list