[Snort-users] DNS portscan alerts
Leigh David Heyman
leigh at ...5300...
Mon Mar 18 08:31:22 EST 2002
sorry, I'd made two assumptions, first that xxx.xxx.xxx was a single system,
and second, that it was your nameserver.
is xxx.xxx.xxx a single host, and is it your nameserver?
I'm not all that familiar with djbdns, but looking at this closer, I guess
dnscache increments the UDP source port for recursive lookups to a single
nameserver, where BIND uses a consistent udp source port? Is this a feature--
I dont' know.
> > var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> > then
> > preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
> This i have already done, i have put my DNS servers into
> portscan-ignorehosts and they dont cause any alerts.
err... I think you misunderstood me here. IIRC portscan-ignorehosts is the
list of hosts/networks to ignore portscans FROM, whereas the network you
define as a parameter to the portscan preprocessor directive is the network
you want to watch for portscans TO. I was suggesting that if you have a
single host, xxx.xxx.xxx which is triggering these portscan alerts, that you
define a network variable without this host to pass to the portscan
directive... then, maybe, the dns "portscans" to the host won't be noticed at
all by the portscan preprocessor (rather than "noticed" but ignored).
But I'd need someone else on the list to confirm this behavior for me..
More information about the Snort-users