[Snort-users] DNS portscan alerts

Leigh David Heyman leigh at ...5300...
Fri Mar 15 09:21:07 EST 2002

> I did'nt have this problem when i used to run bind, It used to run on
> the public interface though.

Of course you didn't if you were running snort on the local interface, and 
bind on the public interface.  I imagine if you run bind on the local 
interface you'd get the same effect

> How can i tell snort to ignore this portscans, I cannot list every DNS
> server in the portscan-ignorehosts.

will this work?  Defining a network without your DNS server(s)

var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]


preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log


The difference between the right word and the almost right word is the
difference between lightning and the lightning bug.
		-- Mark Twain

More information about the Snort-users mailing list