[Snort-users] DNS, portscan, & laptops

Vitaly Osipov vosipov at ...2096...
Tue Jun 19 04:46:24 EDT 2001


It's just another example that it's _bad_ to use automated complaining
(and, oh horror, firewall reconfiguration) tools. Standart example - 5
minutes of spoofed traffic, and you'll be known as a big spammer for the
rest of your life :)))

regards,
Vitaly.

Andrew Daviel wrote:
> 
> A little gotcha - well, as it relates to my reporter script
> http://andrew.triumf.ca/pub/security/reporter/
> 
> The notes say to ignore DNS servers to avoid triggering the portscan
> plugin. So I ignore the root nameservers, our onsite users use our
> onsite nameservers, occasional DNS lookups are ignored, and everything
> is OK.
> Then someone brings a laptop onsite, forgets to reconfigure the
> DNS from their home ISP, and does a lot of surfing. Result, 2 automated
> complaints sent to their ISP (followed by manual "sorry! please ignore.").
> I since fixed the script to ignore UDP source port 53.
> 
> Normally, I suppose, you would like to know about someone
> misconfigured like this, but probably not to panic...
> 
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list