[Snort-users] HELP!

Noah Silverman noah at ...4048...
Fri Nov 9 11:03:02 EST 2001


Guillaume.

I tried this, It DOES stop the portscan report, BUT I still get logging from
my DNS IP and entries in the alert log file.

I am also getting entries from the IP of my machine.  I DO have my home IP
set correctly.

Help??

-N


On 11/9/01 11:43 AM, "Guillaume" <guillaume at ...4029...> wrote:

> En réponse à Noah Silverman <noah at ...4048...>:
> 
>> I've set up snort on our network, but I can't seem to keep it from
>> logging
>> alerts from our DNS machines.
> 
> 
> Did you set the DNS_SERVERS variable in your snort configuration file ?
> 
> <extract from snort.conf>
> Define the addresses of DNS servers and other hosts
> if you want to ignore portscan false alarms from them...
> var DNS_SERVERS ...
> </extract>
> 
> <other extract from snort.conf>
> Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from specific
> networks or hosts to reduce false alerts. It is typical to see many false
> alerts
> from DNS servers so you may want to add your DNS servers here. You can add
> multiple hosts/networks in a whitespace-delimited list
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> </other extract>
> 
> 
> Guillaume.
> 
> 
> 
> 
----------------------------------------------------------------------------
--> -
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list