Snort mailing list archives
How to proceed
From: "Timothy A. Holmes" <tholmes () mcaschool net>
Date: Thu, 10 Nov 2005 11:00:03 -0500
Hi folks: I am VERY new to using snort, I have it set up and sniffing between our cable modem and the firewall, and it appears to be running well. I am seeing alerts show up in BASE. So I look at a particular alert, and find the following [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP Portsweep unclassified 15 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=1&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=1> 7 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=1> 2005-11-09 10:13:55 2005-11-10 10:38:46 I click on the snort link which, if I understand correctly should take to a page which will tell me what the alert means and what I should do about it (if anything) And I get the following (this is the link to the page) http://www.snort.org/pub-bin/sigs.cgi?sid=27 Which basically tells me that the snort database has never heard of this before What do I do now??? Did I configure base incorrectly or what? I must confess to being kinda lost TIM Timothy A. Holmes IT Manager / Network Admin / Web Master / Computer Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14
Current thread:
- How to proceed Timothy A. Holmes (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- <Possible follow-ups>
- Re: How to proceed Nigel Houghton (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)