Re: snort not recognizing dns server correctly
--- Javier Fernández-Sanguino_Peña <[EMAIL PROTECTED]> wrote: > On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > > dafr, 2002-May-03 10:52 -0700: > > > Jeff, > > > > > > I had this problem initially as well when I reconfigured snort, > until I > > > restarted the service. Quite obvious in retrospect, but when I > missed > > > it initially, I could see others doing the same. > > > > > > There is also a section towards the bottom of the snort.conf file > that > > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually > activate > > > the DNS filter. > > > > > Since this is a common issue, why not file a wishlist bug against > the snort package so that it helps the user do this upon > installation? > IIRC it currently does not do it. > > Javi Yes, the installation tools might be able to be improved upon, but I'd rather see more obvious documentation, or just a banner page at install that says "here are the steps to..." at this point. The wishlist may be appropriate for accomplishing this, but this request was the first one that I've seen on this list, so I'm not sure how common the problem really is. I have to admit that I didn't go digging too hard for documentation and went straight to the configuration files and figured it out for myself. David __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
--- Javier Fernández-Sanguino_Peña <[EMAIL PROTECTED]> wrote: > On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > > dafr, 2002-May-03 10:52 -0700: > > > Jeff, > > > > > > I had this problem initially as well when I reconfigured snort, > until I > > > restarted the service. Quite obvious in retrospect, but when I > missed > > > it initially, I could see others doing the same. > > > > > > There is also a section towards the bottom of the snort.conf file > that > > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually > activate > > > the DNS filter. > > > > > Since this is a common issue, why not file a wishlist bug against > the snort package so that it helps the user do this upon > installation? > IIRC it currently does not do it. > > Javi Yes, the installation tools might be able to be improved upon, but I'd rather see more obvious documentation, or just a banner page at install that says "here are the steps to..." at this point. The wishlist may be appropriate for accomplishing this, but this request was the first one that I've seen on this list, so I'm not sure how common the problem really is. I have to admit that I didn't go digging too hard for documentation and went straight to the configuration files and figured it out for myself. David __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > Since this is a common issue, why not file a wishlist bug against the snort package so that it helps the user do this upon installation? IIRC it currently does not do it. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > Since this is a common issue, why not file a wishlist bug against the snort package so that it helps the user do this upon installation? IIRC it currently does not do it. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly [closed]
Jeff, 2002-May-06 04:27 -0700: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > > > HTH, > > David > > David, > > Thanks for the pointer. I found the section and uncommented it > and then restarted snort. I'll be watching my logs and let you > know what I see. After a couple of weeks with these settings, no more portscans are being registered by my dns servers. Thanks for you help David. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly [closed]
Jeff, 2002-May-06 04:27 -0700: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > > > HTH, > > David > > David, > > Thanks for the pointer. I found the section and uncommented it > and then restarted snort. I'll be watching my logs and let you > know what I see. After a couple of weeks with these settings, no more portscans are being registered by my dns servers. Thanks for you help David. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
dafr, 2002-May-03 10:52 -0700: > Jeff, > > I had this problem initially as well when I reconfigured snort, until I > restarted the service. Quite obvious in retrospect, but when I missed > it initially, I could see others doing the same. > > There is also a section towards the bottom of the snort.conf file that > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > the DNS filter. > > HTH, > David David, Thanks for the pointer. I found the section and uncommented it and then restarted snort. I'll be watching my logs and let you know what I see. thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
dafr, 2002-May-03 10:52 -0700: > Jeff, > > I had this problem initially as well when I reconfigured snort, until I > restarted the service. Quite obvious in retrospect, but when I missed > it initially, I could see others doing the same. > > There is also a section towards the bottom of the snort.conf file that > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > the DNS filter. > > HTH, > David David, Thanks for the pointer. I found the section and uncommented it and then restarted snort. I'll be watching my logs and let you know what I see. thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o> Linux Generation
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o> Linux Generation
Re: snort not recognizing dns server correctly
Jeff, I had this problem initially as well when I reconfigured snort, until I restarted the service. Quite obvious in retrospect, but when I missed it initially, I could see others doing the same. There is also a section towards the bottom of the snort.conf file that you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate the DNS filter. HTH, David --- Jeff <[EMAIL PROTECTED]> wrote: > I have the following entry in /etc/snort/snort.conf > > var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] > > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Jeff, I had this problem initially as well when I reconfigured snort, until I restarted the service. Quite obvious in retrospect, but when I missed it initially, I could see others doing the same. There is also a section towards the bottom of the snort.conf file that you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate the DNS filter. HTH, David --- Jeff <[EMAIL PROTECTED]> wrote: > I have the following entry in /etc/snort/snort.conf > > var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] > > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]