[Snort-users] Arghh...how do I stop it doing this!!

Ed Greshko Edward.M.Greshko at ...1974...
Thu May 3 11:46:48 EDT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF
> 
> [...etc...]
> 
> Damn thing seems to read every DNS query _I_ do as a bloody alert
> notable event!!
> ARRGHH!!!

Read the documentation?  :-) :-)

Part of the snort.conf has....

# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...

Do that and things magically get better.  

I know, I did the same thing earlier today.  :-)

Ed

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOvF9YyvPyVlLXt2/EQJJFACg3pU8ep3MGCVwtPbFoz6STdF41RMAoILr
qoDVIyeqdvrRGC7fTfofbtZe
=AbdR
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list