Snort mailing list archives
Re: Address on my network generating many alerts
From: Nigel Houghton <nigel () sourcefire com>
Date: Wed, 26 Apr 2006 13:58:22 -0500
On 0, Arthur DiSegna <adisegna () authentium com> wrote:
Hello, I just installed SNORT for the first time and have noticed one of my servers generating a lot of traffic. Most of it is legitimate web traffic. How can I exclude the normal traffic while maintaining intrusion checks...
Start by tuning your setup, set your HOME_NET and EXTERNAL_NET variables in your snort.conf and start from there. The HOME_NET is normally your internal address space and the EXTERNAL_NET could be !$HOME_NET. The default snort.conf is generously commented. Then start looking at other variables in there and the preprocessor options for tuning. You might also want to look at which rule groups are enabled and disabled too. The manual[0] is online and there are many documents in the doc directory of the source tarball. [0] http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/ +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Address on my network generating many alerts Arthur DiSegna (Apr 26)
- Re: Address on my network generating many alerts Nigel Houghton (Apr 26)
- RE: Address on my network generating many alerts Erik Mintz (Apr 26)
- <Possible follow-ups>
- RE: Address on my network generating many alerts Arthur DiSegna (Apr 26)