Snort mailing list archives
Re: .ida attempt vs .ida access
From: Chris Green <cmg () uab edu>
Date: 01 Aug 2001 12:54:08 -0500
"Julia A. Case" <julie () MageNet com> writes:
Ok, after lots of help from Jed I got snort up and going and logging to a MySQL database... I'm using snortreport to view the data in the database and it seems when I view the info about a .ida attempt it triggers an alert of .ida access, at first I was scared and then I realized that the alert came from the pc I was using to view the web page...
This is a somewhat common problem with IDSs monitoring IDS output. I believe Max Vision used to get tons of complaints from people that were complaining his site was setting off their IDS and they were only downloading the whitehats ruleset. You may wish to make a pass rule along with the -o option for your IDS ip if the network you are monitoring will come through the same interface as the one you access the reports on. -- Chris Green <cmg () uab edu> Fame may be fleeting but obscurity is forever. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- .ida attempt vs .ida access Julia A. Case (Aug 01)
- Re: .ida attempt vs .ida access Chris Green (Aug 01)