[Snort-users] DNS portscans

Richard Lawley richard.lawley at ...1503...
Wed Mar 14 13:33:34 EST 2001


I guess this is why the line "preprocessor portscan-ignorehosts:
$DNS_SERVERS" exists in the configuration file.  This stops the portscan
pre-processor from detecting this as a portscan.  Is this being triggered by
the portscan pre-processor or a rule?

Richard

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob Van
Cleef
Sent: 14 March 2001 17:51
To: Snort E-mail List
Subject: [Snort-users] DNS portscans



The below scans have been showing up a lot lately as use of our VPN
network grows.  The logs make it look like our DNS server / Web server is
scanning our VPN network.

Bob
-*> Snort! <*-
Version 1.7

Mar 13 13:49:44 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:2267 UDP
Mar 13 13:49:44 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:2270 UDP
Mar 13 13:49:45 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:2274 UDP
Mar 13 13:49:45 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:2277 UDP
Mar 13 13:49:52 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:2281 UDP
Mar 13 15:43:15 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3402 UDP
Mar 13 15:43:16 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3405 UDP
Mar 13 15:43:16 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3408 UDP
Mar 13 15:43:16 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3410 UDP
Mar 13 16:45:28 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3140 UDP
Mar 13 16:45:28 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3142 UDP
Mar 13 16:45:29 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3146 UDP
Mar 13 16:45:29 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3149 UDP
Mar 13 16:45:29 WEB-DNS-SERVER-IP:53 -> VPN-ROUTER-IP:3152 UDP



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list