Re: DNS portscan alerts

[Dushyanth Harinath <dushy () symonds net>]

Hi,

* Leigh David Heyman <leigh () ai mit edu> [020318 16:50]:

> I'm not all that familiar with djbdns, but looking at this closer, I guess 
> dnscache increments the UDP source port for recursive lookups to a single 
> nameserver, where BIND uses a consistent udp source port?  Is this a feature-- 
> I dont' know.

This is what i was thinking too, I will check the djbdns docs/source
to confirm that. 

> > > var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32]
> > > then
> > >
> > > preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.log
> >
> > This i have already done, i have put my DNS servers into
> > portscan-ignorehosts and they dont cause any alerts.
>
> err... I think you misunderstood me here.  IIRC portscan-ignorehosts is the 
> list of hosts/networks to ignore portscans FROM, whereas the network you 
> define as a parameter to the portscan preprocessor directive is the network 
> you want to watch for portscans TO.  I was suggesting that if you have a 
> single host, xxx.xxx.xxx which is triggering these portscan alerts, that you 
> define a network variable without this host to pass to the portscan 
> directive... then, maybe, the dns "portscans" to the host won't be noticed at 
> all by the portscan preprocessor (rather than "noticed" but ignored).

Oh, Sorry , my mistake , but the alerts are from many nameservers, not
from a particular one and listing them all is not possible.

Thanks
cheers
dushyanth
-- 
How about some patent       |  Dushyanth Harinath
on "(a+b)2 == a2+2ab+b2"    |  Archean Infotech
... choose free software!   |  http://www.archeanit.com
 --some Usenet siggy        |  http://symonds.net/~dushy

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users