[Snort-users] DNS portscan alerts
dushy at ...5318...
Mon Mar 18 09:30:07 EST 2002
* Leigh David Heyman <leigh at ...5300...> [020318 16:50]:
> I'm not all that familiar with djbdns, but looking at this closer, I guess
> dnscache increments the UDP source port for recursive lookups to a single
> nameserver, where BIND uses a consistent udp source port? Is this a feature--
> I dont' know.
This is what i was thinking too, I will check the djbdns docs/source
to confirm that.
> > > var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> > > then
> > >
> > > preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
> > This i have already done, i have put my DNS servers into
> > portscan-ignorehosts and they dont cause any alerts.
> err... I think you misunderstood me here. IIRC portscan-ignorehosts is the
> list of hosts/networks to ignore portscans FROM, whereas the network you
> define as a parameter to the portscan preprocessor directive is the network
> you want to watch for portscans TO. I was suggesting that if you have a
> single host, xxx.xxx.xxx which is triggering these portscan alerts, that you
> define a network variable without this host to pass to the portscan
> directive... then, maybe, the dns "portscans" to the host won't be noticed at
> all by the portscan preprocessor (rather than "noticed" but ignored).
Oh, Sorry , my mistake , but the alerts are from many nameservers, not
from a particular one and listing them all is not possible.
How about some patent | Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2" | Archean Infotech
... choose free software! | http://www.archeanit.com
--some Usenet siggy | http://symonds.net/~dushy
More information about the Snort-users