Snort mailing list archives
RE: probe alerts
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 03:21:52 +0300
Hi Jim!
Aug 5 18:33:26 clearwater snort[1200]: [1:515:2] MISC source port 53
to
<1024 [Classification: Potentially Bad Traffic Priority: 2]: 209.242.137.131:53 -> 192.168.1.2:53 192.168.1.2 is the host running snort and named.
Ok, the DNS_SERVERS variable does not affect this. Make sure variables EXTERNAL_NET and HOME_NET are configured properly in snort.conf. By default, EXTERNAL_NET's value is 'any', which includes *all* IP addresses, including the address of this host itself, and this causes false alarms like the one you're experiencing. I've configured the varialbes like this: var HOME_NET [10.0.0.0/24] var EXTERNAL_NET !$HOME_NET This way EXTERNAL_NET is any address, excluding my home address(es). =) Just make sure you configure HOME_NET *before* EXTERNAL_NET, otherwise it won't work.
Also getting a bunch of these logged. Aug 5 13:45:39 clearwater snort: spp_portscan: portscan status from 192.168.1.2: 1 connections across 1 hosts: TCP(0), UDP(1) Aug 5 13:45:43 clearwater snort: spp_portscan: portscan status from 192.168.1.2: 1 connections across 1 hosts: TCP(1), UDP(0) Aug 5 13:45:47 clearwater snort: spp_portscan: portscan status from 192.168.1.2: 2 connections across 2 hosts: TCP(0), UDP(2) Aug 5 13:45:52 clearwater snort: spp_portscan: End of portscan from 192.168.1.2 In regard to nameservers var I've tried this: var DNS_SERVERS $HOME_NET and var DNS_SERVERS 192.168.1.2/32,192.168.1.200/32 (there is another NS on my local subnet)
Correct format for DNS_SERVERS is this: var DNS_SERVERS [192.168.1.2/32,192.168.1.200/32] You have to have the bracets there. Also make sure you have the following line uncommented: preprocessor portscan-ignorehosts: $DNS_SERVERS I've stopped using the portscan preprocessor as it was giving too many false alarms. If you're using Snort version 1.8 (and you should! ;), you can use the stream4 preprocessor to detect portscans. Hope this helps you! Yours, Jyri Information Security Specialist Tel: +358-41-448 3238 E-mail: jyri.hovila () iki fi Certifications: http://www.brainbench.com/transcript.jsp?pid=2301241 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- probe alerts Jim Hankins (Aug 05)
- RE: probe alerts Jyri Hovila (Aug 05)
- <Possible follow-ups>
- RE: probe alerts Jyri Hovila (Aug 05)