Snort mailing list archives
RE: the alert log is getting so huge in minutes!
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Mon, 19 Jan 2004 11:41:02 -0500
I wouldn't delete those rules, they are doing exactly what you want them to do! Snort is detecting an IP address within your network, 10.17.112.16 that is infected with a virus, most likely SQL Slammer. Track down all of the machines that are infected, clean them up and patch, and the alerts will go away. The ICMP Unreachables will probably go away as well. Tyler
Message: 1 Date: Mon, 19 Jan 2004 02:18:21 -0600 (CST) From: =?iso-8859-1?q?soldier=20Mx?= <soldi3rmx () yahoo com mx> To: snort-users () lists sourceforge net Subject: [Snort-users] the alert log is getting so huge in minutes! hey,, /var is full and alert log is so BIG. im gettin tthis alert.,. every 2-3 seconds and my log of alerts is getting so huge that my /var is full also!! What todo ? [**] [1:2004:1] MS-SQL Worm propagation attempt OUTBOUND [**] [Classification: Misc Attack] [Priority: 2] 01/17-16:07:18.519151 10.17.112.16:2526 -> 237.158.119.228:1434 UDP TTL:1 TOS:0x0 ID:40538 IpLen:20 DgmLen:404 Len: 376 [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://www.securityfocus.com/bid/5311][Xref => http://www.securityfocus.com/bid/5310] and other ones, like ICMP enrechable.. In one minute i get like 1 megabyte of logs.!! of thoses alerts.. how could i delete thoses rules.. that are causing that alerts.. cuz im using gentoo linux, and that alert is with Microsoft... so what todo =? Thanks in advance! :)
Current thread:
- the alert log is getting so huge in minutes! soldier Mx (Jan 19)
- <Possible follow-ups>
- RE: the alert log is getting so huge in minutes! Hudak, Tyler (Jan 19)