Snort mailing list archives
RE: false positive + NAT
From: Lee Brotherston <lee.brotherston () uk easynet net>
Date: Mon, 17 Sep 2001 14:57:59 +0100
| We do network address translation (hide mode) on the firewall. | | I have a lot of alerts like | | WEB-MISC http directory traversal | WEB-MISC ultraboard access | WEB-MISC whisker head | | source IP : our firewall, high ports | destination IP : web sites, port 80 | | This is obviously the traffic back to the web servers, | firstly originated by | our users from the Internal LAN. | | I am wondering how not to log this kind of traffic, and why does snort | identify this as an attempt. The best way is to modify the rules so that they look something like: alert tcp !$HOME_NET -> $HTTP_SERVERS or to set $EXTERNAL_NET to be !$HOME_NET in your snort.conf This way attempts are only logged if they come from outside of your address space. However if you are doing this, it's best to make sure that you are using private IP addressing and have anti-spoofing on your LAN, or else you might neglect to log genuine bad traffic. There is always the argument about the percentage of hack attempts that originate internally of course ;) I have found that you do get a number of false positives from the default rule set, I would tend to use it as a template rather than a definitive set-up. Rather than dropping internal traffic, you might try to cut down the amount of data to analyse dropping rules that are of no interest to you, for example if your website is designed to allow directory traversal then there is not allot of need to log it? Thanks Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false positive + NAT Frederic Lemoine (Sep 17)
- <Possible follow-ups>
- RE: false positive + NAT Lee Brotherston (Sep 17)