Snort mailing list archives
Re: DNS portscan alerts
From: Dushyanth Harinath <dushy () symonds net>
Date: Mon, 18 Mar 2002 22:55:28 +0530
Hi, * Leigh David Heyman <leigh () ai mit edu> [020318 16:50]:
I'm not all that familiar with djbdns, but looking at this closer, I guess dnscache increments the UDP source port for recursive lookups to a single nameserver, where BIND uses a consistent udp source port? Is this a feature-- I dont' know.
This is what i was thinking too, I will check the djbdns docs/source to confirm that.
var HOME_NET_NODNS [$HOME_NET,!your.dns.ip/32] then preprocessor portscan: $HOME_NET_NODNS 4 3 portscan.logThis i have already done, i have put my DNS servers into portscan-ignorehosts and they dont cause any alerts.err... I think you misunderstood me here. IIRC portscan-ignorehosts is the list of hosts/networks to ignore portscans FROM, whereas the network you define as a parameter to the portscan preprocessor directive is the network you want to watch for portscans TO. I was suggesting that if you have a single host, xxx.xxx.xxx which is triggering these portscan alerts, that you define a network variable without this host to pass to the portscan directive... then, maybe, the dns "portscans" to the host won't be noticed at all by the portscan preprocessor (rather than "noticed" but ignored).
Oh, Sorry , my mistake , but the alerts are from many nameservers, not from a particular one and listing them all is not possible. Thanks cheers dushyanth -- How about some patent | Dushyanth Harinath on "(a+b)2 == a2+2ab+b2" | Archean Infotech ... choose free software! | http://www.archeanit.com --some Usenet siggy | http://symonds.net/~dushy _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS portscan alerts Dushyanth Harinath (Mar 14)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 18)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 18)
- Re: DNS portscan alerts Leigh David Heyman (Mar 19)
- Re: DNS portscan alerts Dushyanth Harinath (Mar 15)
- Re: DNS portscan alerts Leigh David Heyman (Mar 15)