Snort mailing list archives
Re: No clue?
From: John Friedman <jfriedmanx () yahoo com>
Date: Wed, 16 Nov 2005 11:09:37 -0800 (PST)
Thanks. Now, I changed these (in threshold.conf) to: suppress gen_id 100, sig_id 1, track by_src, ip 10.1.10.6/32 suppress gen_id 100, sig_id 2, track by_src, ip 10.1.10.6/32 suppress gen_id 100, sig_id 3, track by_src, ip 10.1.10.6/32 and also in snort.conf I have: preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { 10.1.10.6 } preprocessor portscan-ignorehosts: 10.1.10.6 But, I still get these alerts. Totally out of mind now, any ideas? Thanks, John --- Eric Maheo <eric.maheo () appliedwatch com> wrote:
like it's a cidr, I will try: suppress gen_id 100, sig_id 1, track by_src, ip 10.1.10.6/32 On Wed, 2005-11-16 at 07:53 -0800, John Friedman wrote:Thanks for your help.did you enable the include threshold.conf at the end of your snort.conf?YES! Also, I changed to suppress gen_id 100, sig_id 1, track by_src, ip 10.1.10.6 suppress gen_id 100, sig_id 2, track by_src, ip 10.1.10.6 suppress gen_id 100, sig_id 3, track by_src, ip 10.1.10.6 and sill with ignor_scanners statement. But, Istillget these alerts: ************************ ID < Signature > < Timestamp > < SourceAddress< Dest. Address > < Layer 4 Proto >#0-(2-11683) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1 hosts:TCP(1),UDP(0) 2005-11-16 10:50:39 10.1.10.6unknown IP #1-(2-11682) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1 hosts:TCP(1),UDP(0) 2005-11-16 10:49:59 10.1.10.6unknown IP #2-(2-11681) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1 hosts:TCP(1),UDP(0) 2005-11-16 10:49:18 10.1.10.6unknown IP ********************* any clue and I am totally lost. Any suggestions? Thanks, John --- Eric Maheo <eric.maheo () appliedwatch com>wrote:Just my 2 cents.. did you enable the include threshold.conf at the end of your snort.conf? you can add a cidr but consult thesnort_manual.pdf.This manual is in your /doc of your sources. Download from snort.org and untargz your file and you will see this snort_manual.pdf in the /doc directory. At the page 83 you have your answer. ex: suppress gen_id 1, sig_id 1234, trackby_dst, ip10.1.0.0/24 On Wed, 2005-11-16 at 07:07 -0800, John Friedman wrote:Thanks for all suggestions and help that havebeengiven to me. Here is my config now: preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners {[10.1.10.5,10.1.10.6] } I restared the snort service and I still getthesealerts. I add these to the threshold.conf: suppress gen_id 100, sig_id 1 suppress gen_id 100, sig_id 2 suppress gen_id 100, sig_id 3 and I still get these alerts. no idea why? Do you know what's the syntax forignore_scannersforone block IP such as 10.1.10.0/24? Thank you so much! John --- Joel Esler <joel.esler () sourcefire com>wrote:Because you have to include it in the lineprior..See how the lines prior to that have "\"? You have to put the"\"inthe line prior to the ignore_scanners line if you want itincluded..J On Nov 15, 2005, at 3:14 PM, John Friedmanwrote:Thank you for your help. Here is theconfigin mysnort.conf preprocessor sfportscan: proto { all } \ memcap { 10000000} \sense_level { low}ignore_scanners { 10.1.10.6 } But, If I add ignore_scanners { 10.1.10.6} tothesnort.conf, the snort service can not bestarted.IfI remove ignore_scanners { 10.1.10.6 },thenthesnortservice is started fine. No idea why? Thanks, John --- Joel Esler <joel.esler () sourcefire com>wrote:You need to put them into the sfportscan preprocessor as either ignore_scanned or ignore_scanner if youwanttotunethe portscan preprocessor. Joel Esler On Nov 15, 2005, at 11:27 AM, JohnFriedmanwrote:I constantly get these alerts from thecitrixserver:ID < Signature > < Timestamp > <SourceAddress< Dest. Address > < Layer 4 Proto >#600-(2-7409) [snort]spp_portscanfrom 10.1.10.6: 1 connections across 1hosts:TCP(1),UDP(0) 2005-11-15 09:49:12
=== message truncated === __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: No clue?, (continued)
- Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)