[Snort-users] Snort still detecting DNS stuff as portscans...

Ben Beuchler insyte at ...1495...
Tue Mar 6 13:53:52 EST 2001

First, the precis:  
My Snort box thinks every DNS query is a portscan.

Now, the details: 
I have a /28 network hanging off my Cisco 675 DSL router with an OpenBSD
box acting as a bridging firewall between the router and my network.
I'm running Snort on the firewall with HOME_NET set to my /28.  I'm
running dnscache on that box as well, only accepting requests from my
internal network.

The firewall has two interfaces, ep0 and ep1, ep0 has an IP address, ep1
is just the other side of the bridge and does not have an IP address
bound to it.  According to snort, it is on initializing ep0, which is

I have this line in my snort.conf:
var DNS_SERVERS xxx.xxx.xxx.x, yyy.yyy.yyy.y

The first IP is the name server of my ISP, the second is the IP of the
firewall's ep0, where dnscache is listening.

Despite that, my log is full of alerts like this:

[**] spp_portscan: portscan status from yyy.yyy.yyy.yy: 1 connections across 1 hosts: TCP(0), UDP(1) [**]

Any thoughts?


Ben Beuchler                                           There is no spoon.
insyte at ...1495...                                            -- The Matrix

More information about the Snort-users mailing list