[Snort-users] DNS, portscan, & laptops

Brian Caswell bmc at ...312...
Mon Jun 18 17:36:49 EDT 2001


Andrew Daviel wrote:
> 
> A little gotcha - well, as it relates to my reporter script
> http://andrew.triumf.ca/pub/security/reporter/
> 
> The notes say to ignore DNS servers to avoid triggering the portscan
> plugin. So I ignore the root nameservers, our onsite users use our
> onsite nameservers, occasional DNS lookups are ignored, and everything
> is OK.
> Then someone brings a laptop onsite, forgets to reconfigure the
> DNS from their home ISP, and does a lot of surfing. Result, 2 automated
> complaints sent to their ISP (followed by manual "sorry! please ignore.").
> I since fixed the script to ignore UDP source port 53.
> 
> Normally, I suppose, you would like to know about someone
> misconfigured like this, but probably not to panic...

This would be yet another reason for NOT automagicly doing things like
automail or autofirewall.  You are going to shot yourself in the foot
like this. 

Never never never never do anything but wave big red flags at yourself
automagicly.  Computers are smart, but computers don't know politics. 
Heck, people don't know politics.  Why should computers know any
better?

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list