![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: PLEASE CC ME
From: Erek Adams <erek () snort org>
Date: Sat, 8 Nov 2003 20:37:13 -0500 (EST)
On Sat, 8 Nov 2003, Sean Lazar wrote:
What port does your proxy run on? Is it 8080? The rule is: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;) http://www.snort.org/snort-db/sid.html?sid=620 This rule, if I am reading it right, will trigger on any connection to 8080 in your home net. This one gets alot of false positives probably because 8080 is a popular port. Nothing to worry about, just turn off the rule.
Nope... Leave the rule on. Just change EXTERNAL_NET from "any" to !$HOME_NET. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PLEASE CC ME Stephan Weaver (Nov 07)
- Re: PLEASE CC ME Sean Lazar (Nov 08)
- Re: PLEASE CC ME Erek Adams (Nov 08)
- <Possible follow-ups>
- Re: PLEASE CC ME Leonard Miller (Nov 08)
- Re: PLEASE CC ME Sean Lazar (Nov 08)