Snort mailing list archives
Re: snort filter
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 26 Sep 2001 13:31:00 -0700 (PDT)
On Wed, 26 Sep 2001, Eduard Meiler wrote:
after installing snort I get a lot of these messages about the traffic: Make it sense to disable this function, or is there a way to filter the unnecessary information ??
It depends.
Sep 26 21:00:00 wall snort: [1:515:2] MISC source port 53 to <1024 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 193.141.40.1:53 -> 192.168.7.200:53
Consider the source and destination. Source was from xlink1.xlink.net which is a DNS server. Desitnation was a private net. Now if that internal machine made a DNS query then this might be normal, seeing as you can specify the port to connect back on in the BIND configs. Is that one of the DNS servers you use? If not, then something might be up. If so, build a pass rule for it if needed, the use the -o switch to swap the order of the rules. Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort filter Eduard Meiler (Sep 26)
- Re: snort filter Erek Adams (Sep 26)
- AW: snort filter Eduard Meiler (Sep 26)
- Re: AW: snort filter Erek Adams (Sep 26)
- AW: AW: snort filter Eduard Meiler (Sep 26)
- Re: AW: AW: snort filter Erek Adams (Sep 26)
- AW: snort filter Eduard Meiler (Sep 26)
- Re: snort filter Erek Adams (Sep 26)