[Snort-users] DNS portscan alerts

Dushyanth Harinath dushy at ...5318...
Mon Mar 18 21:32:03 EST 2002


* Leigh David Heyman <leigh at ...5300...> [020319 04:15]:
> 
> > 
> > Oh, Sorry , my mistake , but the alerts are from many nameservers, not
> > from a particular one and listing them all is not possible.
> > 
> 
> True, but are the scans TO several systems or just one or a few... while 
> clearly you can't ignore all the external nameservers which are "scanning" 
> you, can you possibly exclude your "internal" systems which are being 
> "scanned" from the group of systems which spp_portscan is watching aver, or 
> would that simply mean your entire network, and thus disabling spp_portscan 
> altogether?

No , I cant do that because its my public interface. 

Lete me explain you better.

                             --------
                             |Router|
                             --------
                               |
                               | eth0 (xxx.xxx.xxx.xxx) public IP
                            ----------
                            | server | 
                            |        |
                             ---------
                               | eth1 (192.168.0.1) Local Lan IP
                               | Snort and dnscache 
                  ---------------------------
                  |     |    |    |     |   |
                    
                    client machines on lan


Whenever the dnscache running on (192.168.0.1)  queries an external dns
it results in a portscan alert with source from the external dns with dest
as my public interface on the server.

Some of the logs again.

Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:8067 UDP  
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:39735 UDP  
Mar 15 12:05:27 203.255.112.34:53 -> xxx.xxx.xxx.xxx:9439 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:41048 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:61123 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:57003 UDP  
Mar 15 12:05:28 203.255.112.34:53 -> xxx.xxx.xxx.xxx:49847 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:6503 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:14650 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:24046 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:45110 UDP  
Mar 15 12:05:29 203.255.112.34:53 -> xxx.xxx.xxx.xxx:16721 UDP  


So, i cant ignore the portscan traffic to the public interface.

Hope i have explained clearly now :)
cheers
dushyanth
-- 
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy




More information about the Snort-users mailing list