[Snort-users] DNS portscan alerts

Leigh David Heyman leigh at ...5300...
Mon Mar 18 08:31:22 EST 2002


Hi Dushyanth,
sorry, I'd made two assumptions, first that xxx.xxx.xxx was a single system, 
and second, that it was your nameserver.

is xxx.xxx.xxx a single host, and is it your nameserver?

I'm not all that familiar with djbdns, but looking at this closer, I guess 
dnscache increments the UDP source port for recursive lookups to a single 
nameserver, where BIND uses a consistent udp source port?  Is this a feature-- 
I dont' know.


> 
> > var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> > then
> > 
> > preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
> 
> This i have already done, i have put my DNS servers into
> portscan-ignorehosts and they dont cause any alerts.
> 

err... I think you misunderstood me here.  IIRC portscan-ignorehosts is the 
list of hosts/networks to ignore portscans FROM, whereas the network you 
define as a parameter to the portscan preprocessor directive is the network 
you want to watch for portscans TO.  I was suggesting that if you have a 
single host, xxx.xxx.xxx which is triggering these portscan alerts, that you 
define a network variable without this host to pass to the portscan 
directive... then, maybe, the dns "portscans" to the host won't be noticed at 
all by the portscan preprocessor (rather than "noticed" but ignored).
But I'd need someone else on the list to confirm this behavior for me..

-Leigh





More information about the Snort-users mailing list