[Snort-users] DNS portscan alerts

Dushyanth Harinath dushy at ...5318...
Mon Mar 18 09:30:07 EST 2002


* Leigh David Heyman <leigh at ...5300...> [020318 16:50]:

> I'm not all that familiar with djbdns, but looking at this closer, I guess 
> dnscache increments the UDP source port for recursive lookups to a single 
> nameserver, where BIND uses a consistent udp source port?  Is this a feature-- 
> I dont' know.

This is what i was thinking too, I will check the djbdns docs/source
to confirm that. 

> > 
> > > var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> > > then
> > > 
> > > preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
> > 
> > This i have already done, i have put my DNS servers into
> > portscan-ignorehosts and they dont cause any alerts.
> > 
> err... I think you misunderstood me here.  IIRC portscan-ignorehosts is the 
> list of hosts/networks to ignore portscans FROM, whereas the network you 
> define as a parameter to the portscan preprocessor directive is the network 
> you want to watch for portscans TO.  I was suggesting that if you have a 
> single host, xxx.xxx.xxx which is triggering these portscan alerts, that you 
> define a network variable without this host to pass to the portscan 
> directive... then, maybe, the dns "portscans" to the host won't be noticed at 
> all by the portscan preprocessor (rather than "noticed" but ignored).

Oh, Sorry , my mistake , but the alerts are from many nameservers, not
from a particular one and listing them all is not possible.

How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy

More information about the Snort-users mailing list