[Snort-users] False positives from DNS servers

Brian Caswell bmc at ...312...
Thu Mar 15 10:41:39 EST 2001


Siddhartha Jain wrote:
> 
>  Hi,
> 
>  I have the following entry in snort.conf :-
> 
>  var DNS_SERVERS
>  [202.54.1.30/32,202.54.1.18/32,202.87.39.13/32,202.87.39.14/32]
> 
>  I still get portscan alerts from these hosts in ~logdir/log and
>  ~logdir/portscan.log

Thats because DNS_SERVERS is in there for a reference.  

Do you have the following?

preprocessor portscan-ignorehosts: $DNS_SERVERS

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list