Snort mailing list archives
Re: How to proceed
From: Ralf Spenneberg <lists () spenneberg org>
Date: Thu, 10 Nov 2005 17:29:22 +0100
Hi, you configured everything correctly. This is a shortcoming in Base. The alert was generated by a preprocessor and not a signature. Base cannot yet distinguish between these alerts and always tries to lookup a signature at the snort homepage. All sids below 100 definitely are preprocessor alerts and are not accessable through the snort homepage. Ralf Am Donnerstag, den 10.11.2005, 11:00 -0500 schrieb Timothy A. Holmes:
Hi folks: I am VERY new to using snort, I have it set up and sniffing between our cable modem and the firewall, and it appears to be running well. I am seeing alerts show up in BASE. So I look at a particular alert, and find the following [snort] (portscan) TCP Portsweep unclassified 15(0%) 1 1 7 2005-11-09 10:13:55 2005-11-10 10:38:46 I click on the snort link which, if I understand correctly should take to a page which will tell me what the alert means and what I should do about it (if anything) And I get the following (this is the link to the page) http://www.snort.org/pub-bin/sigs.cgi?sid=27 Which basically tells me that the snort database has never heard of this before What do I do now??? Did I configure base incorrectly or what? I must confess to being kinda lost TIM Timothy A. Holmes IT Manager / Network Admin / Web Master / Computer Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14
-- Ralf Spenneberg OpenSource Training http://www.opensource-training.de Webereistr. 1 48565 Steinfurt Germany ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to proceed Timothy A. Holmes (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- <Possible follow-ups>
- Re: How to proceed Nigel Houghton (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)