Re: Too many alerts

[Joerg Weber <j.weber () infos de>]

Hi there,


> These I believe are false postives but I want them to STOP.
>
>  Please help me in stopping these. Ofcourse I don't want to unload the rules therefore any other solution is welcome.
First, I'd suggest you trim down your rulebase and check for rules you
really want. That's not only good for speed (more rules->slower snort)
but it's also essential for the understanding process ;)

Having said that, there are several things you could do.
One is to comment out the rules which are getting triggered too often.
The other is to write a PASS rule for hosts which trigger the rules but
are false positives. Or you use BPF to ignore the offending host. Look
at [0] and [1] for more info about that please.

I'd also check out [2] for some general comments about rules & which
ones to include/exclude.

> The messages are:
> "SCAN UPNP service discover attempt"
> "nessus MISC xdmcp info query" (I think I know this because I use cygwin XWin.exe to connect to this server over X 
> and this started after using this)
> "X11 MIT Magic Cookie detected" (probably because of the same reason above...XDM)...
Yup, pretty likely. You'r triggering the rules yourself. If you've an x-server inhouse, then you might want to tune 
your rulebase anyways, as you prolly do not care for every connection to your x-server, do you now? ;)

Cheers!

Joerg


[0] http://www.theadamsfamily.net/~erek/snort/ignore.txt
[1] http://marc.theaimsgroup.com/?l=snort-users&m=103582526626496&w=2
[2] http://marc.theaimsgroup.com/?l=snort-users&m=101967600523591&w=2


--
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.weber () infos de

Attachment: signature.asc
Description: This is a digitally signed message part