Snort mailing list archives
RE: Same src/dst
From: "Brei, Matt" <mbrei () medclaiminc com>
Date: Mon, 31 Mar 2003 22:18:15 -0500
I put them in the local rules. I don't know if this is the best place to put them as far as performance goes. But this seems to be the logical place to put them. Matt -----Original Message----- From: David Alonso De La Vega Tapage [mailto:delavegad () bancoaliado com] Sent: Monday, March 31, 2003 8:09 AM To: Brei, Matt Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Same src/dst Question .. where is the exact right place to put these rules .. ? to mantain the better performace of snort .. Thanx in advance .. Cheers, David Alonso Brei, Matt wrote: I have been seeing a lot of these "same SRC/DST" alerts even after adding two local rules to pass them. I think these alerts are due to the fact that there is a DNS server running on this machine and it is using itself for its name resolution. #3-(4-1434) BAD TRAFFIC same SRC/DST 2003-03-30 18:49:29 10.13.110.254:1026 10.13.110.254:53 UDP #4-(4-1435) BAD TRAFFIC same SRC/DST 2003-03-30 18:49:29 10.13.110.254:53 10.13.110.254:1026 UDP The two local rules are as follows: pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;) pass ip 10.13.110.254 1026 -> 10.13.110.254 53 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;) These alerts are filling the database rather quickly. Please help. I have searched the mailing list archives as well as Usenet with no helpful results. Matt ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _____ ****** Message from InterScan E-Mail VirusWall NT ****** ** No virus found in attached file noname.htm Este correo ha sido revisado y esta libre de virus. Disclaimer ***************** End of message ***************
Current thread:
- RE: Same src/dst Brei, Matt (Mar 31)
- <Possible follow-ups>
- RE: Same src/dst Brei, Matt (Mar 31)