[Snort-users] Snort still detecting DNS stuff as portscans...

Joe McAlerney joey at ...155...
Tue Mar 6 14:54:50 EST 2001


Ben Beuchler wrote:

> I have this line in my snort.conf:
> var DNS_SERVERS xxx.xxx.xxx.x, yyy.yyy.yyy.y

You need brackets here.  Is this an old snort.conf file?

var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]

> Despite that, my log is full of alerts like this:
> 
> 03/06-10:31:06.493990
> [**] spp_portscan: portscan status from yyy.yyy.yyy.yy: 1 connections across 1 hosts: TCP(0), UDP(1) [**]

Make sure they are added to the portscan-ignorehosts preprocessor, and
make sure the portscan-ignorehosts line is AFTER the portscan line.  I
imagine it is if you are using a standard snort.conf file.

-Joe M.
-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+




More information about the Snort-users mailing list