[Snort-users] DNS, portscan, & laptops

Andrew Daviel andrew at ...523...
Mon Jun 18 12:40:41 EDT 2001


A little gotcha - well, as it relates to my reporter script
http://andrew.triumf.ca/pub/security/reporter/

The notes say to ignore DNS servers to avoid triggering the portscan
plugin. So I ignore the root nameservers, our onsite users use our
onsite nameservers, occasional DNS lookups are ignored, and everything
is OK.
Then someone brings a laptop onsite, forgets to reconfigure the
DNS from their home ISP, and does a lot of surfing. Result, 2 automated
complaints sent to their ISP (followed by manual "sorry! please ignore.").
I since fixed the script to ignore UDP source port 53.

Normally, I suppose, you would like to know about someone
misconfigured like this, but probably not to panic...

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...





More information about the Snort-users mailing list