[Snort-users] Portscan false positives reg. DNS caching server

Reckhard, Tobias tobias.reckhard at ...5872...
Wed May 15 02:08:02 EDT 2002


Hi all

I've got the problem that I'm experiencing a much too high ratio of false
positives using preprocessor portscan. I keep getting alerts about supposed
portscans to my internal, caching DNS server, which arise because of the
sometimes numerous responses when the DNS cache wanders from the roots to
the authoritative servers. I've already places the host into the
preprocessor portscan-ignorehosts list, but that appears to take only the
source of the packets into consideration. I receive DNS replies from the
entire Internet, but I might as well deactivate the portscan detection and
save some CPU cycles if I was to insert 0/0 to preprocessor
portscan-ignorehosts...

Any ideas, anyone? I couldn't find anything on Google and in the FAQ (and
I'm usually not that bad at RTFMing).

Thanks,
Tobias
-- 
Tobias Reckhard




More information about the Snort-users mailing list