[Snort-users] DNS portscan alerts

Dushyanth Harinath dushy at ...5318...
Fri Mar 15 21:31:09 EST 2002

* Leigh David Heyman <leigh at ...5300...> [020316 04:56]:
> > 
> > I did'nt have this problem when i used to run bind, It used to run on
> > the public interface though.
> > 
> Of course you didn't if you were running snort on the local interface, and 
> bind on the public interface.  I imagine if you run bind on the local 
> interface you'd get the same effect

No, it doesn't , Running bind on the local LAN interface does'nt cause
any portscans from the dns servers.

> > 
> > How can i tell snort to ignore this portscans, I cannot list every DNS
> > server in the portscan-ignorehosts.
> > 
> will this work?  Defining a network without your DNS server(s)

The DNS server(s) generating the portscans are not mine. Some of them
are ns.apnic.net , etc. So, whenever dnscache is making a query to those
servers, i get a portscan alert.

> var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> then
> preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log

This i have already done, i have put my DNS servers into
portscan-ignorehosts and they dont cause any alerts.

How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy

More information about the Snort-users mailing list