[Snort-users] HELP!

Guillaume guillaume at ...4029...
Fri Nov 9 08:41:02 EST 2001


En réponse à Noah Silverman <noah at ...4048...>:

> I've set up snort on our network, but I can't seem to keep it from
> logging
> alerts from our DNS machines.


Did you set the DNS_SERVERS variable in your snort configuration file ?

<extract from snort.conf>
Define the addresses of DNS servers and other hosts
if you want to ignore portscan false alarms from them...
var DNS_SERVERS ...
</extract>

<other extract from snort.conf>
Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from specific
networks or hosts to reduce false alerts. It is typical to see many false alerts
from DNS servers so you may want to add your DNS servers here. You can add
multiple hosts/networks in a whitespace-delimited list
preprocessor portscan-ignorehosts: $DNS_SERVERS
</other extract>


Guillaume.



-------------------------------------------------------------------------------




More information about the Snort-users mailing list