[Snort-users] Arghh...how do I stop it doing this!!

Dave Fitches sticks.au at ...375...
Thu May 3 12:14:23 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That would work, but it's NOT my DNS servers that it's seeing, it's the
REPLIES from OTHER DNS servers that get queried.....

var DNS_SERVERS [203.164.20.147/32,203.164.20.148/32]
preprocessor portscan-ignorehosts: $DNS_SERVERS

That is in my snort.conf, but still I see these damn port 53 queries
whenever I surf the web!


- -

    = Dave Fitches =

________________________________________________________
 ,--__|\    David Fitches
/       \   * ICQ : 2120090   * SATCO CID : 955589
\_,--\__/   * Mobile : +61-419-466-744
       v    * E-mail : sticks.au at ...375...
               Melbourne, Victoria, Australia
               Web: http://www.bigfoot.com/~sticks.au/
_______________________________________________________
Please Note: Unless this e-mail has been sent as PRIVATE, PERSONAL or
CONFIDENTIAL, the receiver may forward copies of it on the condition  that
they send an advisory message to the original sender.
If however the message has been marked PRIVATE, PERSONAL or CONFIDENTIAL
prior consent MUST be obtained before the message can be forwarded.

- -----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ed Greshko
Sent: Friday, 4 May 2001 01:47
To: sticks.au at ...375...
Cc: Snort-Users at ...1973... Sourceforge. Net
Subject: RE: [Snort-users] Arghh...how do I stop it doing this!!



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.283946 209.235.102.13:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:50935 IpLen:20 DgmLen:460 DF
> [**] MISC source port 53 to <1023 [**]
> 05/04-00:04:47.542673 209.235.102.12:53 -> 203.164.xxx.xxx:53
> UDP TTL:237 TOS:0x0 ID:21123 IpLen:20 DgmLen:137 DF
>
> [...etc...]
>
> Damn thing seems to read every DNS query _I_ do as a bloody alert
> notable event!!
> ARRGHH!!!

Read the documentation?  :-) :-)

Part of the snort.conf has....

# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...

Do that and things magically get better.

I know, I did the same thing earlier today.  :-)

Ed

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOvF9YyvPyVlLXt2/EQJJFACg3pU8ep3MGCVwtPbFoz6STdF41RMAoILr
qoDVIyeqdvrRGC7fTfofbtZe
=AbdR
- -----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOvGD3wUhkO6Zt2EDEQIx0ACdG07AfSeFuewOZ05T0YqVT5+K5CwAoPUp
LW2fPnWB6BFz4CuFAz7jAT8a
=4Qn5
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list