Snort mailing list archives
Snort config question
From: "Chris W." <guamchris () yahoo com>
Date: Sun, 3 Feb 2002 23:17:03 -0600
Hello everyone, Before I begin, this is my configuration: System #1 OS: Windows XP Pro Snort 1.8.2 MySql Acid System #2 OS: Windows XP Pro Snort 1.8.2 ZoneAlarm BlackIce On both systems: var HOME_NET any var EXTERNAL_NET any Both systems are connected to a LinkSys BEFSR41 router which is connected to my cable modem. I have system #2 configured to dump the alerts to the MySql database on the first system. It seems to be working with one exception: BlackIce is registering a frequent number of HTTP port probes (4-5 per hour) and even a few subSeven probes. However, neither of these shows up as alerts on Snort. I have run NmapNT against System #2 to verify that snort is functioning on that machine. This is my first attempt at running Snort so I am running all rules except: # include c:\snort\rules\shellcode.rules # include c:\snort\rules\policy.rules # include c:\snort\rules\porn.rules # include c:\snort\rules\icmp-info.rules Am I missing something here or is BlackIce showing me some false hits? I've tried running without BI but the result was the same. I'm running a small mail server on System #2 so it has a number of ports open to it but I have yet to see a single alert from outside my network. (On either machine) Any suggestions will be greatly appreciated! Chris Wilson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort config question Chris W. (Feb 03)
- Re: Snort config question Ryan Russell (Feb 03)