[Snort-users] False positives from DNS servers

Siddhartha Jain s_i_d_j at ...131...
Thu Mar 15 10:45:36 EST 2001


Thanks for the responses. Now i have included "preprocessor
portscan-ignorehosts: $DNS_SERVERS" in the config file.

Siddhartha


----- Original Message -----
From: "Brian Caswell" <bmc at ...312...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 15, 2001 9:11 PM
Subject: Re: [Snort-users] False positives from DNS servers


> Siddhartha Jain wrote:
> >
> >  Hi,
> >
> >  I have the following entry in snort.conf :-
> >
> >  var DNS_SERVERS
> >  [202.54.1.30/32,202.54.1.18/32,202.87.39.13/32,202.87.39.14/32]
> >
> >  I still get portscan alerts from these hosts in ~logdir/log and
> >  ~logdir/portscan.log
>
> Thats because DNS_SERVERS is in there for a reference.
>
> Do you have the following?
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> --
> Brian Caswell
> The MITRE Corporation


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list