Snort mailing list archives
Re: Too many alerts
From: Joerg Weber <j.weber () infos de>
Date: 07 Apr 2003 11:56:06 +0200
Hi there,
These I believe are false postives but I want them to STOP. Please help me in stopping these. Ofcourse I don't want to unload the rules therefore any other solution is welcome.
First, I'd suggest you trim down your rulebase and check for rules you really want. That's not only good for speed (more rules->slower snort) but it's also essential for the understanding process ;) Having said that, there are several things you could do. One is to comment out the rules which are getting triggered too often. The other is to write a PASS rule for hosts which trigger the rules but are false positives. Or you use BPF to ignore the offending host. Look at [0] and [1] for more info about that please. I'd also check out [2] for some general comments about rules & which ones to include/exclude.
The messages are: "SCAN UPNP service discover attempt" "nessus MISC xdmcp info query" (I think I know this because I use cygwin XWin.exe to connect to this server over X and this started after using this) "X11 MIT Magic Cookie detected" (probably because of the same reason above...XDM)...
Yup, pretty likely. You'r triggering the rules yourself. If you've an x-server inhouse, then you might want to tune your rulebase anyways, as you prolly do not care for every connection to your x-server, do you now? ;) Cheers! Joerg [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt [1] http://marc.theaimsgroup.com/?l=snort-users&m=103582526626496&w=2 [2] http://marc.theaimsgroup.com/?l=snort-users&m=101967600523591&w=2 -- Joerg Weber Network Security infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 0 F: (0681) 8 80 08 - 59 www.infos.de E: j.weber () infos de
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Too many alerts Egal A Egal - SA (Apr 07)
- Re: Too many alerts Joerg Weber (Apr 07)