|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ben Beuchler (insyte
emt-p.org)Date: Tue Mar 06 2001 - 12:53:52 CST
First, the precis:
My Snort box thinks every DNS query is a portscan.
Now, the details:
I have a /28 network hanging off my Cisco 675 DSL router with an OpenBSD
box acting as a bridging firewall between the router and my network.
I'm running Snort on the firewall with HOME_NET set to my /28. I'm
running dnscache on that box as well, only accepting requests from my
internal network.
The firewall has two interfaces, ep0 and ep1, ep0 has an IP address, ep1
is just the other side of the bridge and does not have an IP address
bound to it. According to snort, it is on initializing ep0, which is
correct.
I have this line in my snort.conf:
var DNS_SERVERS xxx.xxx.xxx.x, yyy.yyy.yyy.y
The first IP is the name server of my ISP, the second is the IP of the
firewall's ep0, where dnscache is listening.
Despite that, my log is full of alerts like this:
03/06-10:31:06.493990
[**] spp_portscan: portscan status from yyy.yyy.yyy.yy: 1 connections across 1 hosts: TCP(0), UDP(1) [**]
Any thoughts?
Thanks,
Ben
-- Ben Beuchler There is no spoon. insyte_______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]