OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian Caswell (bmcmitre.org)
Date: Mon Jun 18 2001 - 16:36:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Andrew Daviel wrote:
    >
    > A little gotcha - well, as it relates to my reporter script
    > http://andrew.triumf.ca/pub/security/reporter/
    >
    > The notes say to ignore DNS servers to avoid triggering the portscan
    > plugin. So I ignore the root nameservers, our onsite users use our
    > onsite nameservers, occasional DNS lookups are ignored, and everything
    > is OK.
    > Then someone brings a laptop onsite, forgets to reconfigure the
    > DNS from their home ISP, and does a lot of surfing. Result, 2 automated
    > complaints sent to their ISP (followed by manual "sorry! please ignore.").
    > I since fixed the script to ignore UDP source port 53.
    >
    > Normally, I suppose, you would like to know about someone
    > misconfigured like this, but probably not to panic...

    This would be yet another reason for NOT automagicly doing things like
    automail or autofirewall. You are going to shot yourself in the foot
    like this.

    Never never never never do anything but wave big red flags at yourself
    automagicly. Computers are smart, but computers don't know politics.
    Heck, people don't know politics. Why should computers know any
    better? 

    -- 
Brian Caswell
The MITRE Corporation

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users