[Snort-users] False positives with UDP Portscan PROTO255

Rich Adamson radamson at ...2127...
Sat Mar 5 16:12:46 EST 2005


> Mike Lieberman wrote:
> > I have doubts about some of the messages I am getting from Snort (using 
> > rules for 2.3). For instance the following portscan message is from 
> > ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server 
> > traffic labeled as port scans. In the case below, unless Sprint?s 
> > primary name server ( as well as many others from [have]) has been 
> > compromised, these ?portscans? would actually have to be something 
> > related to BIND.
> 
> Any significant number of DNS queries within a short time (depending on 
> your portscan settings) will do this because the traffic is 
> connectionless.  Although you and I know these are query/response, the 
> generic portscan preprocessor doesn't.

I think what he's observing is a overly sensitive portscan detector.
I've noticed the same thing with lots of other port numbers, and not
just dns. For all practical purposes, we've had to disable the detector
as it generates far too much noise.







More information about the Snort-users mailing list