[Snort-users] Snort still detecting DNS stuff as portscans...
joey at ...155...
Tue Mar 6 14:54:50 EST 2001
Ben Beuchler wrote:
> I have this line in my snort.conf:
> var DNS_SERVERS xxx.xxx.xxx.x, yyy.yyy.yyy.y
You need brackets here. Is this an old snort.conf file?
var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]
> Despite that, my log is full of alerts like this:
> [**] spp_portscan: portscan status from yyy.yyy.yyy.yy: 1 connections across 1 hosts: TCP(0), UDP(1) [**]
Make sure they are added to the portscan-ignorehosts preprocessor, and
make sure the portscan-ignorehosts line is AFTER the portscan line. I
imagine it is if you are using a standard snort.conf file.
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
More information about the Snort-users