Snort mailing list archives

Re: PLEASE CC ME

From: Erek Adams <erek () snort org>
Date: Sat, 8 Nov 2003 20:37:13 -0500 (EST)

On Sat, 8 Nov 2003, Sean Lazar wrote:

What port does your proxy run on? Is it 8080?

The rule is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\)
attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;)
http://www.snort.org/snort-db/sid.html?sid=620

This rule, if I am reading it right, will trigger on any connection to 8080
in your home net. This one gets alot of false positives probably because
8080 is a popular port.

Nothing to worry about, just turn off the rule.


Nope...  Leave the rule on.

Just change EXTERNAL_NET from "any" to !$HOME_NET.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

PLEASE CC ME Stephan Weaver (Nov 07)
- Re: PLEASE CC ME Sean Lazar (Nov 08)
  - Re: PLEASE CC ME Erek Adams (Nov 08)
- <Possible follow-ups>
- Re: PLEASE CC ME Leonard Miller (Nov 08)