RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash

[Jeff Ito <jeffi () rcn com>]

This is how I solved my problem:

use the -F option in snort for "BPF" rules

(i use "bpf.rules")

my bpf.rules rules file reads



not 'src host x.x.x.x and port 53'



where x.x.x.x is of course the ip of the dns server

I really dont know why the ignore preprocessor doesnt work, but this is
the approach I took for what seems to be the exact same problem...

Jeff

> interesting , thanks Jeff : this seems to be the way to go...
>
> can you send me some specifics on how you installed that tcpdump  rule
> set?
>
> Is there any other way to do this? and why doesnt the ignore portscan
> hosts preprocessor work in this scenario?
>
>        i dont really want to have to use tcpdump files if i dont have
> to: i have plenty of space on the drives and it would screw up the mail
> alert script that i have built.

*snip - apparent port scan from external DNS server*


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users