Snort mailing list archives
Re: No clue?
From: John Friedman <jfriedmanx () yahoo com>
Date: Wed, 16 Nov 2005 07:53:56 -0800 (PST)
Thanks for your help.
did you enable the include threshold.conf at the end of your snort.conf?
YES! Also, I changed to suppress gen_id 100, sig_id 1, track by_src, ip 10.1.10.6 suppress gen_id 100, sig_id 2, track by_src, ip 10.1.10.6 suppress gen_id 100, sig_id 3, track by_src, ip 10.1.10.6 and sill with ignor_scanners statement. But, I still get these alerts: ************************ ID < Signature > < Timestamp > < Source Address
< Dest. Address > < Layer 4 Proto >
#0-(2-11683) [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0) 2005-11-16 10:50:39 10.1.10.6 unknown IP #1-(2-11682) [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0) 2005-11-16 10:49:59 10.1.10.6 unknown IP #2-(2-11681) [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0) 2005-11-16 10:49:18 10.1.10.6 unknown IP ********************* any clue and I am totally lost. Any suggestions? Thanks, John --- Eric Maheo <eric.maheo () appliedwatch com> wrote:
Just my 2 cents.. did you enable the include threshold.conf at the end of your snort.conf? you can add a cidr but consult the snort_manual.pdf. This manual is in your /doc of your sources. Download from snort.org and untargz your file and you will see this snort_manual.pdf in the /doc directory. At the page 83 you have your answer. ex: suppress gen_id 1, sig_id 1234, track by_dst, ip 10.1.0.0/24 On Wed, 2005-11-16 at 07:07 -0800, John Friedman wrote:Thanks for all suggestions and help that have been given to me. Here is my config now: preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners {[10.1.10.5,10.1.10.6] } I restared the snort service and I still get these alerts. I add these to the threshold.conf: suppress gen_id 100, sig_id 1 suppress gen_id 100, sig_id 2 suppress gen_id 100, sig_id 3 and I still get these alerts. no idea why? Do you know what's the syntax for ignore_scannersforone block IP such as 10.1.10.0/24? Thank you so much! John --- Joel Esler <joel.esler () sourcefire com> wrote:Because you have to include it in the lineprior..See how the lines prior to that have "\"? You have to put the "\"inthe line prior to the ignore_scanners line if you want itincluded..J On Nov 15, 2005, at 3:14 PM, John Friedmanwrote:Thank you for your help. Here is the configin mysnort.conf preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } ignore_scanners { 10.1.10.6 } But, If I add ignore_scanners { 10.1.10.6 } tothesnort.conf, the snort service can not bestarted.IfI remove ignore_scanners { 10.1.10.6 }, thenthesnortservice is started fine. No idea why? Thanks, John --- Joel Esler <joel.esler () sourcefire com>wrote:You need to put them into the sfportscan preprocessor as either ignore_scanned or ignore_scanner if you wanttotunethe portscan preprocessor. Joel Esler On Nov 15, 2005, at 11:27 AM, John Friedmanwrote:I constantly get these alerts from thecitrixserver:ID < Signature > < Timestamp > <SourceAddress< Dest. Address > < Layer 4 Proto >#600-(2-7409) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1hosts:TCP(1),UDP(0) 2005-11-15 09:49:1210.1.10.6unknown IP #601-(2-7410) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1hosts:TCP(1),UDP(0) 2005-11-15 09:49:1910.1.10.6unknown IP #602-(2-7411) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1hosts:TCP(1),UDP(0) 2005-11-15 09:49:5910.1.10.6unknown IP ********* I use these suppress gen_id 100, sig_id 1 suppress gen_id 100, sig_id 2 suppress gen_id 100, sig_id 3 but it does not work. Any idea? Thanks, John --- Jeruvy <jeruvy () shaw ca> wrote:Sorry about that, I routinely delete emailsfrom@yahoo.com due to spam. What is the alert SID? Do you useoinkmaster?J. j e r u v y a t s h a w d o t c a-----Original Message----- From: John Friedman[mailto:jfriedmanx () yahoo com]Sent: Tuesday, November 15, 2005 8:45 AM To: snort Subject: RE: [Snort-users] No clue? Hi all, Since I did not get any reply on this, isthereany way tosuppress or pass this alert? Thanks, John John Friedman <jfriedmanx () yahoo com>wrote:Thanks for your pointing out. Here istheinfoagain:ID <__________________________________ Yahoo! FareChase: Search multiple travelsites
=== message truncated === __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: No clue?, (continued)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Matt Kettler (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)