[Snort-users] DNS portscan alerts

Leigh David Heyman leigh at ...5300...
Mon Mar 18 09:44:12 EST 2002


> 
> Oh, Sorry , my mistake , but the alerts are from many nameservers, not
> from a particular one and listing them all is not possible.
> 

True, but are the scans TO several systems or just one or a few... while 
clearly you can't ignore all the external nameservers which are "scanning" 
you, can you possibly exclude your "internal" systems which are being 
"scanned" from the group of systems which spp_portscan is watching aver, or 
would that simply mean your entire network, and thus disabling spp_portscan 
altogether?

-Leigh





More information about the Snort-users mailing list