[Snort-users] Snort still detecting DNS stuff as portscans...
insyte at ...1495...
Tue Mar 6 13:53:52 EST 2001
First, the precis:
My Snort box thinks every DNS query is a portscan.
Now, the details:
I have a /28 network hanging off my Cisco 675 DSL router with an OpenBSD
box acting as a bridging firewall between the router and my network.
I'm running Snort on the firewall with HOME_NET set to my /28. I'm
running dnscache on that box as well, only accepting requests from my
The firewall has two interfaces, ep0 and ep1, ep0 has an IP address, ep1
is just the other side of the bridge and does not have an IP address
bound to it. According to snort, it is on initializing ep0, which is
I have this line in my snort.conf:
var DNS_SERVERS xxx.xxx.xxx.x, yyy.yyy.yyy.y
The first IP is the name server of my ISP, the second is the IP of the
firewall's ep0, where dnscache is listening.
Despite that, my log is full of alerts like this:
[**] spp_portscan: portscan status from yyy.yyy.yyy.yy: 1 connections across 1 hosts: TCP(0), UDP(1) [**]
Ben Beuchler There is no spoon.
insyte at ...1495... -- The Matrix
More information about the Snort-users