[Snort-users] DNS portscan alerts

Leigh David Heyman leigh at ...5300...
Fri Mar 15 09:21:07 EST 2002


> 
> I did'nt have this problem when i used to run bind, It used to run on
> the public interface though.
> 

Of course you didn't if you were running snort on the local interface, and 
bind on the public interface.  I imagine if you run bind on the local 
interface you'd get the same effect

> 
> How can i tell snort to ignore this portscans, I cannot list every DNS
> server in the portscan-ignorehosts.
> 

will this work?  Defining a network without your DNS server(s)

var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]

then

preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log

-Leigh


-----------------------------
The difference between the right word and the almost right word is the
difference between lightning and the lightning bug.
		-- Mark Twain






More information about the Snort-users mailing list