Snort mailing list archives
*NEWBIE* Excluding Proxy Traffic from Snort?
From: "Matthew Gavin" <matt () tempo com au>
Date: Thu, 14 Nov 2002 16:43:44 +1100
Hi all, I'm new to Snort... still trying to work my way through the excellent documentation. I was hoping for an answer to a really simple question... I want to exclude any internal traffic hitting my Proxy from, my alert log... I am being barraged with the following every second... it's legit, and useless to me: [**] [1:618:2] SCAN Squid Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 11/14-16:11:12.112690 0:50:73:27:1D:41 -> 0:10:5A:68:35:9E type:0x800 len:0x3E 10.1.5.115:2657 -> 203.xx.xx.xx:3128 TCP TTL:125 TOS:0x0 ID:49315 IpLen:20 DgmLen:48 DF ******S* Seq: 0x15E126F Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK Is there a quick way to exclude this information? My /etc/snort.conf makes no reference to my internal LAN... It only knows of the DMZ - Like so: var HOME_NET 203.xx.xx.0/24 var EXTERNAL_NET any Thanks in advance. mg © 2002 MCSE = Must Consult Someone Else. _____________________________________________ ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- *NEWBIE* Excluding Proxy Traffic from Snort? Matthew Gavin (Nov 13)
- Re: *NEWBIE* Excluding Proxy Traffic from Snort? Erek Adams (Nov 14)
- <Possible follow-ups>
- RE: *NEWBIE* Excluding Proxy Traffic from Snort? McCammon, Keith (Nov 14)