Snort mailing list archives

RE: Same src/dst

From: "Brei, Matt" <mbrei () medclaiminc com>
Date: Mon, 31 Mar 2003 22:18:15 -0500
I put them in the local rules.  I don't know if this is the best place
to put them as far as performance goes.  But this seems to be the
logical place to put them.
 
Matt
 
-----Original Message-----
From: David Alonso De La Vega Tapage [mailto:delavegad () bancoaliado com] 
Sent: Monday, March 31, 2003 8:09 AM
To: Brei, Matt
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Same src/dst
 
Question .. 

where is the exact right place to put these rules .. ?  to mantain the
better performace of snort .. 

Thanx in advance .. 

Cheers,

David Alonso

Brei, Matt wrote:


     I have been seeing a lot of these "same SRC/DST" alerts even after
adding two local rules to pass them.  I think these alerts are due to
the fact that there is a DNS server running on this machine and it is
using itself for its name resolution.
  
   #3-(4-1434)    
   BAD TRAFFIC same SRC/DST    
   2003-03-30 18:49:29    
   10.13.110.254:1026    
   10.13.110.254:53    
   UDP    
 
   #4-(4-1435)    
   BAD TRAFFIC same SRC/DST    
   2003-03-30 18:49:29    
   10.13.110.254:53    
   10.13.110.254:1026    
   UDP    
 
The two local rules are as follows:
 
  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC same
SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)
 
pass ip 10.13.110.254 1026 -> 10.13.110.254 53 (msg:"BAD TRAFFIC same
SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)
 
These alerts are filling the database rather quickly.  Please help.  I
have searched the mailing list archives as well as Usenet with no
helpful results.
 
Matt
 
 
-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
 
  
 



  _____  



 
****** Message from InterScan E-Mail VirusWall NT ******
 
** No virus found in attached file noname.htm
 
Este correo ha sido revisado y esta libre de virus. Disclaimer
*****************     End of message     ***************
Current thread:

RE: Same src/dst Brei, Matt (Mar 31)
- <Possible follow-ups>
- RE: Same src/dst Brei, Matt (Mar 31)