[Snort-users] Not ignoring DNS servers

Snoopy wayne at ...3179...
Thu Sep 6 11:16:05 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dudes,

I have the same problems somewhat. I have even put the IPs in the
preprocessor line instead of the $DNS_SERVER variable. Actually I
have tried both ways.  I am running the Windows port of snort on a
win2k box. The error is 

MISC source port 53 to < 1024  10.X.X.X 10.Y.Y.Y UDP. 

We are running What's Up as a SNMP trap monitor as well as some
service monitoring. 

Wayne 

- -----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
Slinski
Sent: Thursday, September 06, 2001 1:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Not ignoring DNS servers


I have snort set up the following way in snort.conf (snort rules from
snort site):

var DNS_SERVERS [206.191.0.140/32,206.191.0.210/32]

and

preprocessor portscan-ignorehosts: $DNS_SERVERS

Yet snort still reports:
[**] [1:0:0] ICMP Destination Unreachable (Port Unreachable) [**]
09/06-00:02:01.200180 206.191.19.2 -> 206.191.0.210
ICMP TTL:255 TOS:0xC0 ID:51451 IpLen:20 DgmLen:141
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
206.191.0.210:53 -> 206.191.19.2:4611
UDP TTL:253 TOS:0x0 ID:13975 IpLen:20 DgmLen:113
Len: 93
** END OF DUMP

Any ideas?

- -Paul


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO5e9Qn+SpcqzAmBdEQLbdgCfdO569VOJkZzBs0mA57Dku1yMpkEAnilw
dBmvKwf3sBMooncNedLCW5jP
=lNYD
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list