Re: .ida attempt vs .ida access

[Chris Green <cmg () uab edu>]

"Julia A. Case" <julie () MageNet com> writes:

> Ok, after lots of help from Jed I got snort up and going and logging to a 
> MySQL database...  I'm using snortreport to view the data in the database 
> and it seems when I view the info about a .ida attempt it triggers an 
> alert of .ida access, at first I was scared and then I realized that the 
> alert came from the pc I was using to view the web page...

This is a somewhat common problem with IDSs monitoring IDS output.  I
believe Max Vision used to get tons of complaints from people that
were complaining his site was setting off their IDS and they were only
downloading the whitehats ruleset.

You may wish to make a pass rule along with the -o option for your IDS
ip if the network you are monitoring will come through the same
interface as the one you access the reports on.
-- 
Chris Green <cmg () uab edu>
Fame may be fleeting but obscurity is forever.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users