Snort mailing list archives
Re: Portscan preprocessor catching DNS replies
From: Andreas Östling <andreaso () it su se>
Date: Wed, 15 Aug 2001 23:31:13 +0200 (CEST)
On Wed, 15 Aug 2001, Jörgen Persson wrote:
I used to have the same problem and I couldn't find a way to solve it with ''portscan-ignorehosts''. There might be a way to solve it with a snort rule but I made an ugly bpf hack. % cat /etc/snort/bpf.rules not udp src port domain % snort -F /etc/snort/bpf.rules
This filter is IMO not very good since it ignores too much. The problem is that all traffic coming from port 53 doesn't have to be DNS-related. You probably don't want to miss when someone executes a bunch of ntpd exploits against you using 53 as source port, for example. If the problem is the portscan preprocessor, portscan-ignorehosts is the place to add the host. If the problem is a rule, it's better to write a specific pass rule, or perhaps use a more specific bpf filter for the particular hosts/ports you want to ignore. Regards, Andreas Östling _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: Portscan preprocessor catching DNS replies root (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)