Portscan preprocessor catching DNS replies

[Mathieu Nantel <nantel () ecopiabio com>]

Hi,

This question is in regard of the portscan preprocessor, I believe. I
have cycled a bit through the archives and the newsgroups and have found
nothing of interest. I'm sorry if that question has already been asked
before.

My problem resides in the fact that Snort's portscan module is catching
DNS query replies ( any port 53 -> my_servers port gt 1024). This
generates a great deal of false positives and I am wondering if there is
a way to configure the portscan preprocessor so that it ignores it. I
know that there is a line in snort.conf to ignore the local dns servers,
and you will understand that this does not answer my need. My DNS
server, like any other, recursively asks the root servers, than the
target domain's dns servers, and so on... What I would like to do is, as
an example, ignore anything UDP from port 53 to any over 1024.
Configuring a custom rule in the snort rules file does not solve the
issue. It appears the portscan processor is a totally separate thing
than the stream stuff. I am not talking with knowledge of the underlying
code, please don't flame my ignorance...

Is there a way to deal with this?

Thanks in advance,

-- 
Mathieu

Attachment: nantel.vcf
Description: Card for Mathieu Nantel