Re: UDP scan from DNS server?

From: Jonathan Bloomquist (jsbloomat_private)
Date: Mon May 28 2001 - 20:02:27 PDT

Next message: Russell Fulton: "Re: version.bind request"

Previous message: John: "Re: Linux Worms"
In reply to: Michael Clark: "UDP scan from DNS server?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      Snort should be configured to ignore DNS servers:

      Portscan Ignorehosts



Another module from Patrick Mullen that modifies the portscan detection
system's operation.  If you have servers which tend to trip off the portscan
detector (such as NTP, NFS, and DNS servers), you can tell portscan to
ignore TCP SYN and UDP portscans from certain hosts.   The arguments to this
module are a list of IPs/CIDR blocks to be ignored.

Format:

  portscan-ignorehosts: <host list>
My snort config file contains these lines:

var DNS_SERVERS [x.x.x.x/32,x.x.x.x/32]
and
preprocessor portscan-ignorehosts: $DNS_SERVERS



From: "Michael Clark" <mdcat_private>
To: <incidentsat_private>
Sent: Tuesday, May 29, 2001 1:44 PM
Subject: UDP scan from DNS server?


> Snort grabbed the following traces last night. The source is my ISP's DNS
> server. Any ideas?
>
> May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61072 UDP
> May 28 21:42:44 111.222.333.444:53 -> 192.168.1.1:61073 UDP
> May 28 21:42:53 111.222.333.444:53 -> 192.168.1.1:61074 UDP
> May 28 21:48:32 111.222.333.444:53 -> 192.168.1.1:61074 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61075 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61076 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61078 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61079 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61077 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61081 UDP
> May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61082 UDP
> May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61083 UDP
> May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61084 UDP
> May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61085 UDP
> May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61086 UDP
> May 28 21:48:35 111.222.333.444:53 -> 192.168.1.1:61080 UDP
> May 28 21:51:23 111.222.333.444:53 -> 192.168.1.1:61094 UDP
> May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61095 UDP
> May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61096 UDP
> May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61097 UDP
> May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61098 UDP
> May 28 21:55:44 111.222.333.444:53 -> 192.168.1.1:61107 UDP
> May 28 21:55:45 111.222.333.444:53 -> 192.168.1.1:61108 UDP
> May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61109 UDP
> May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61110 UDP
> May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61111 UDP
> May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61112 UDP
> May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61113 UDP
> May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61114 UDP
> May 28 21:56:05 111.222.333.444:53 -> 192.168.1.1:61115 UDP
> May 28 21:56:07 111.222.333.444:53 -> 192.168.1.1:61116 UDP
> May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61117 UDP
> May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61118 UDP
> May 28 21:57:06 111.222.333.444:53 -> 192.168.1.1:61118 UDP
> May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61119 UDP
> May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61120 UDP
> May 28 21:57:08 111.222.333.444:53 -> 192.168.1.1:61121 UDP
> May 28 21:57:09 111.222.333.444:53 -> 192.168.1.1:61122 UDP
> May 28 21:57:11 111.222.333.444:53 -> 192.168.1.1:61123 UDP
> May 28 23:16:51 111.222.333.444:53 -> 192.168.1.1:61139 UDP
> May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61140 UDP
> May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61141 UDP
> May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61142 UDP
> May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61143 UDP
> May 28 23:16:55 111.222.333.444:53 -> 192.168.1.1:61144 UDP
> May 28 23:16:56 111.222.333.444:53 -> 192.168.1.1:61145 UDP
> May 28 23:17:12 111.222.333.444:53 -> 192.168.1.1:61146 UDP
> May 28 23:17:15 111.222.333.444:53 -> 192.168.1.1:61147 UDP
> May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61156 UDP
> May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61157 UDP
> May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61158 UDP
> May 29 06:14:57 111.222.333.444:53 -> 192.168.1.1:61159 UDP
> May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61160 UDP
> May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61161 UDP
> May 29 06:15:00 111.222.333.444:53 -> 192.168.1.1:61162 UDP
> May 29 06:15:02 111.222.333.444:53 -> 192.168.1.1:61163 UDP
> May 29 06:15:15 111.222.333.444:53 -> 192.168.1.1:61164 UDP
> May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61165 UDP
> May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61166 UDP
>
> Michael
>

Next message: Russell Fulton: "Re: version.bind request"
Previous message: John: "Re: Linux Worms"
In reply to: Michael Clark: "UDP scan from DNS server?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 07:09:11 PDT