[Snort-users] DNS portscan alerts
Leigh David Heyman
leigh at ...5300...
Mon Mar 18 09:44:12 EST 2002
> Oh, Sorry , my mistake , but the alerts are from many nameservers, not
> from a particular one and listing them all is not possible.
True, but are the scans TO several systems or just one or a few... while
clearly you can't ignore all the external nameservers which are "scanning"
you, can you possibly exclude your "internal" systems which are being
"scanned" from the group of systems which spp_portscan is watching aver, or
would that simply mean your entire network, and thus disabling spp_portscan
More information about the Snort-users