Snort mailing list archives
Re: Snort decoder & pass rules
From: Murali Raju <protocoljunkie () gmail com>
Date: Mon, 7 Nov 2005 10:57:08 -0500
config disable_decode_alerts is the only option for now. I personally leave it on, since in the past for example snort_decoder alerted on someone terminating IPSec tunnels from within the local network to various external sources. _Raju On 11/7/05, Paul Melson <pmelson () gmail com> wrote:
Following a recent sensor redeployment, I've started seeing some alerts on an internal segment that look like this: Time Message SID Proto Source IP Source Port Dest IP Dest Port 7 Nov 2005 09:17:23 EST (snort decoder) Bad Traffic Loopback IP [1:150] UDP 10.0.2.24 <http://10.0.2.24> 2300 127.0.0.1 <http://127.0.0.1> 2300 A quick sniff of the traffic reveals that this is actually occurring. The device generating the traffic is an older telephony interface and has probably been doing this for a very long time. I would like to disable these alerts, but because they're generated by the decoder, I'm not sure how to proceed. I am assuming that writing pass or suppress rules will be ineffective. The documented alert options for the decoder don't include the ability to single out this type of alert, let alone specify source addresses to ignore for. So what's the best way to address this issue? Are my only options 'config disable_decode_alerts' or just living with the noise? Thanks, PaulM PS - If it matters, the sensor is running 2.4.3. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- May the packets be with you.
Current thread:
- Snort decoder & pass rules Paul Melson (Nov 07)
- Re: Snort decoder & pass rules Murali Raju (Nov 07)