Snort mailing list archives

Re: How to proceed

From: Ralf Spenneberg <lists () spenneberg org>
Date: Thu, 10 Nov 2005 17:29:22 +0100

Hi,

you configured everything correctly. This is a shortcoming in Base. 

The alert was generated by a preprocessor and not a signature. Base
cannot yet distinguish between these alerts and always tries to lookup a
signature at the snort homepage. All sids below 100 definitely are
preprocessor alerts and are not accessable through the snort homepage.

Ralf

Am Donnerstag, den 10.11.2005, 11:00 -0500 schrieb Timothy A. Holmes:

Hi folks:

 

I am VERY new to using snort, I have it set up and sniffing between
our cable modem and the firewall, and it appears to be running well.

 

I am seeing alerts show up in BASE.  

 

So I look at a particular alert, and find the following

 

 

[snort] (portscan) TCP Portsweep unclassified 15(0%) 1 1 7 2005-11-09
10:13:55 2005-11-10 10:38:46

 

I click on the snort link which, if I understand correctly should take
to a page which will tell me what the alert means and what I should do
about it (if anything)

 

And I get the following (this is the link to the page)

 

http://www.snort.org/pub-bin/sigs.cgi?sid=27

 

 

Which basically tells me that the snort database has never heard of
this before

 

What do I do now???

 

Did I configure base incorrectly or what?

I must confess to being kinda lost

 

TIM

 

Timothy A. Holmes

IT Manager / Network Admin / Web Master / Computer Teacher

 

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14

-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to proceed Timothy A. Holmes (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
  - Re: How to proceed Kevin Johnson (Nov 10)
    - Re: How to proceed Ralf Spenneberg (Nov 10)
- <Possible follow-ups>
- Re: How to proceed Nigel Houghton (Nov 10)