Snort mailing list archives
Re: Portscan preprocessor catching DNS replies
From: Jörgen Persson <jpn () tlth lth se>
Date: Thu, 16 Aug 2001 16:11:59 +0200
On Thu, Aug 16, 2001 at 09:52:33AM -0400, root wrote:
Hi there, Thanks to Mr. Persson for the fix. I have no experience with BPF per se and have not taken the time to translate the following to BPF, but perhaps a better rule would be to ignore traffic that is UDP source port 53 destination port >1024?
I don't know think you can specify ranges with BPF. I tried a pass rule (with the -o option) like ''pass udp any 53 -> $HOME_NET 1024:''. I thought it would omit answers to DNS queries but it gave me false positives as well, what might be wrong? I came to think of it... you don't need the first line in my BPF example since Snort will take care of that part. Can someone please take look at it since I'm relatively new to Snort. Jörgen
Jörgen Persson wrote:On Thu, Aug 16, 2001 at 12:29:06AM +0200, Jörgen Persson wrote: [snip]As Andreas pointed out on the list, that filter I mentioned filters out everything from udp source port 53.I'm trying a more narrow bpf rule at the moment. dst host $MY_IP and \ (not udp src port 53 or \ udp dst port $UDP_SERVICE_A or \ udp dst port $UDP_SERVICE_B or \ . . . udp dst port $UDP_SERVICE_N) The idea is to exclude traffic from udp port 53 to udp ports on my host without services. I don't know if it works or not but it might help you. By the way, you have to write the rule on one line without the backslashes. Change the variables to something more appropiate. Jörgen_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor catching DNS replies Mathieu Nantel (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- Re: Portscan preprocessor catching DNS replies Andreas Östling (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: Portscan preprocessor catching DNS replies root (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 16)
- Re: Portscan preprocessor catching DNS replies Jörgen Persson (Aug 15)
- <Possible follow-ups>
- Re: Portscan preprocessor catching DNS replies Neil Dickey (Aug 15)