RE: Snort rules setup.

["Derick Anderson" <danderson () vikus com>]

> -----Original Message-----
> From: phunked up! [mailto:phunkodelic () gmail com] 
> Sent: Wednesday, November 30, 2005 2:14 PM
> To: focus-ids () securityfocus com
> Subject: Snort rules setup.
>
> I am trying to get rid of the errors of: "(portscan) Open 
> Port" in my Snort logs.  They are filling it up quite fast.  
> I have put a line in the threshold.conf file and enabled that 
> file in the snort.conf file but that has done nothing so far.
>
> Setup is Centos/MySQL/Snort/BASE.  Any advice would be much 
> appreciated.
>
> Thanks!

Instead of using threshold.conf I used some suppress commands in
snort.conf. I don't remember which gen_id and sig_id portscan/open port
is but I added these 4 lines in my snort.conf to shut it and
http_inspect up in regards to certain events:

suppress gen_id 122, sig_id 27:
suppress gen_id 122, sig_id 19:
suppress gen_id 119, sig_id 4:
suppress gen_id 119, sig_id 15:

I'm sure some googling will shed light on the combination you may need,
although I remember it taking me forever to figure out what to do.

Derick Anderson

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------