Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort decoder & pass rules

From: Murali Raju <protocoljunkie () gmail com>
Date: Mon, 7 Nov 2005 10:57:08 -0500
config disable_decode_alerts is the only option for now. I personally leave
it on, since in the past for example snort_decoder alerted on someone
terminating IPSec tunnels from within the local network to various external
sources.

_Raju

On 11/7/05, Paul Melson <pmelson () gmail com> wrote:


Following a recent sensor redeployment, I've started seeing some alerts on
an internal segment that look like this:

Time Message
SID Proto Source IP Source Port
Dest IP Dest Port
7 Nov 2005 09:17:23 EST (snort decoder) Bad Traffic Loopback IP
[1:150] UDP 10.0.2.24 <http://10.0.2.24> 2300
127.0.0.1 <http://127.0.0.1> 2300


A quick sniff of the traffic reveals that this is actually occurring. The
device generating the traffic is an older telephony interface and has
probably been doing this for a very long time. I would like to disable
these alerts, but because they're generated by the decoder, I'm not sure
how
to proceed. I am assuming that writing pass or suppress rules will be
ineffective. The documented alert options for the decoder don't include
the
ability to single out this type of alert, let alone specify source
addresses
to ignore for. So what's the best way to address this issue? Are my only
options 'config disable_decode_alerts' or just living with the noise?

Thanks,
PaulM

PS - If it matters, the sensor is running 2.4.3.



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--
May the packets be with you.
Previous By Date Next
Previous By Thread Next

Current thread: