[Snort-users] DNS portscan alerts
dushy at ...5318...
Fri Mar 15 21:31:09 EST 2002
* Leigh David Heyman <leigh at ...5300...> [020316 04:56]:
> > I did'nt have this problem when i used to run bind, It used to run on
> > the public interface though.
> Of course you didn't if you were running snort on the local interface, and
> bind on the public interface. I imagine if you run bind on the local
> interface you'd get the same effect
No, it doesn't , Running bind on the local LAN interface does'nt cause
any portscans from the dns servers.
> > How can i tell snort to ignore this portscans, I cannot list every DNS
> > server in the portscan-ignorehosts.
> will this work? Defining a network without your DNS server(s)
The DNS server(s) generating the portscans are not mine. Some of them
are ns.apnic.net , etc. So, whenever dnscache is making a query to those
servers, i get a portscan alert.
> var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
This i have already done, i have put my DNS servers into
portscan-ignorehosts and they dont cause any alerts.
How about some patent | Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2" | Archean Infotech
... choose free software! | http://www.archeanit.com
--some Usenet siggy | http://symonds.net/~dushy
More information about the Snort-users