Snort mailing list archives
P2P traffic?
From: gary douglas <GM-Douglas () wiu edu>
Date: Thu, 21 Jul 2005 15:31:27 -0500
I have just started using Snort and am new to it. I have seen a huge number of alerts of three types in particular. I think these are related and that is why I am posting them together. The alerts are:
(http_inspect) BARE BYTE UNICODE ENCODING (portscan) TCP Portsweep (portscan) Open PortI have search the internet and have not found any reference to these alerts in combination. When I look at one of the Bare Byte Unicode packets, I find the following:
http://emule-project.netThese alerts are coming from computers with in the subnet I am monitoring and going to numerous different destination address all over the internet. I work at a University so we do not block P2P on our ResNet (Resident Hall Network). I know one of the users that is coming up in the top, is using P2P.
My question is, are these three alerts typical of P2P programs? Should I ignore them?
That brings up my second set of questions. I understand these are preprocess in Snort. I have gone into the threshold.conf and added the following lines:
suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 3 suppress gen_id 119, sig_id 4I uncomment the line in the snort.conf, but I still get counts on these alerts. I have even added the suppress lines to the snort.conf and still receive alert counts. How do I stop these alerts from being watched for? Am I on the right track with this?
Thank you for the help. Gary Douglas
Current thread:
- P2P traffic? gary douglas (Jul 21)