Dňa Pi, 2002-03-22 at 06:58, Jeff napísal: > Any ideas why Snort is logging portscans from 2 of my providers > DNS servers? I see this every day. Its making only UDP > connections based on the log: > > Mar 19 13:00:47 myhost snort: spp_portscan: portscan status > from +216.148.227.68: 6 connections across 1 hosts: TCP(0), > UDP(6) > > I think this is due to the DNS servers making several connections > in my firewall/nat gateway in a short period of time. But I'm > not sure.
You shoul add this addresses to snort.conf to section var DNS_SERVERS. One way how to detect portscans is to look for a lot of connection from one IP address and DNS is service witch a lot of connections. Add these DNS IP addresses to DNS_SERVERS and snort will stop reporting portscans. > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' Debian Admin and User > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -------------------------------------------------------------- Ing. Jozef Novikmec Linux system administrator LYNX, spol. s r. o. Masarykova 10 040 01, Kosice Tel.: +421 55 633 55 11 Fax: +421 55 633 55 20 E-mail: [EMAIL PROTECTED] http: http://www.lynx.sk ---------------------------------------------------------------
signature.asc
Description: PGP signature