Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Address on my network generating many alerts

From: "Arthur DiSegna" <adisegna () authentium com>
Date: Wed, 26 Apr 2006 15:16:43 -0400
The box is installed with Suse 10.0 two network interfaces. 
One nic is on the internal network and not capturing any traffic
(HOME_NET = 192.168.0.0).  
The other nic has no IP and is capturing the data in the DMZ
(EXTERNAL_NET !HOME_NET). The port on the public switch has port
forwarding enabled. The only traffic this interface captures is publicly
addressable. 

Currently I'm using the default snort.conf with added bleeding snort
rules. I will keep reading.

Thanks

 AD

-----Original Message-----
From: Nigel Houghton [mailto:nigel () sourcefire com] 
Sent: Wednesday, April 26, 2006 2:58 PM
To: Arthur DiSegna
Cc: snort-users () lists sourceforge net
Subject: Re: Address on my network generating many alerts

On  0, Arthur DiSegna <adisegna () authentium com> wrote:

 
Hello,

I just installed SNORT for the first time and have noticed one of my 
servers generating a lot of traffic. Most of it is legitimate web 
traffic. How can I exclude the normal traffic while maintaining 
intrusion checks...


Start by tuning your setup, set your HOME_NET and EXTERNAL_NET variables
in your snort.conf and start from there. The HOME_NET is normally your
internal address space and the EXTERNAL_NET could be !$HOME_NET. The
default snort.conf is generously commented.

Then start looking at other variables in there and the preprocessor
options for tuning. You might also want to look at which rule groups are
enabled and disabled too.

The manual[0] is online and there are many documents in the doc
directory of the source tarball.

[0] http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: