[Snort-users] DNS portscan alerts

Dushyanth Harinath dushy at ...5318...
Thu Mar 14 22:21:02 EST 2002


Hi,

Iam running snort (1.8.3) on the local LAN interface of a multi homed machine.
I used to run bind on the same box , just a day back i switched to
djbdns (dnscache) which is running on the local LAN interface. After
switching to dnscache i have been getting many portscan alerts (2651
alerts for today) from many DNS servers. 

Below is the log.
----
Mar 15 10:43:17 204.152.186.195:53 -> xxx.xxx.xxx.xxx:20291 UDP  
Mar 15 10:43:18 204.152.186.195:53 -> xxx.xxx.xxx.xxx:38298 UDP  
Mar 15 10:43:18 204.152.186.195:53 -> xxx.xxx.xxx.xxx:63289 UDP  
Mar 15 10:43:19 204.152.186.195:53 -> xxx.xxx.xxx.xxx:61575 UDP  
Mar 15 10:43:20 204.152.186.195:53 -> xxx.xxx.xxx.xxx:43171 UDP  
Mar 15 10:43:20 204.152.186.193:53 -> xxx.xxx.xxx.xxx:4418 UDP  
Mar 15 10:43:21 204.152.186.193:53 -> xxx.xxx.xxx.xxx:13529 UDP  
Mar 15 10:43:22 204.152.186.193:53 -> xxx.xxx.xxx.xxx:5867 UDP  
Mar 15 10:43:23 204.152.186.193:53 -> xxx.xxx.xxx.xxx:58119 UDP  
Mar 15 10:43:23 204.152.186.193:53 -> xxx.xxx.xxx.xxx:60618 UDP  
----

I did'nt have this problem when i used to run bind, It used to run on
the public interface though.

How can i tell snort to ignore this portscans, I cannot list every DNS
server in the portscan-ignorehosts.

TIA
cheers
dushyanth
-- 
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy




More information about the Snort-users mailing list