Re: Problems with snort

[Joel Esler <jesler () sourcefire com>]

Also, you should use the VRT ruleset available for free from the Snort.org website and not rely on the COMMUNITY rules 
that are at least 4 years old and distributed with Ubuntu/Debian, etc.

J

On Mar 26, 2012, at 12:43 PM, Nick Moore wrote:

> Philip, 
>
> Ping floods I haven't worked with as much, but port scanning will not necessarily alerts outside the portscan 
> preprocessor, which is off by default. If you really want to test your rulebase, I would suggest downloading some 
> interesting pcaps and testing your snort rulebase against them. You can find a bunch of them here: 
>
> http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_files
>
> When it comes time to tune your rulebase for your network, please consider the rules that are applicable to your 
> environment. For example, if you have a Windows environment with client machines (e.g. most user vlans or home 
> networks), don't turn on the Linux/Unix rules and those pertaining to services not present in your network, e.g. DNS, 
> Web, SQL.... If you're not sure what's in your environment, run nmap against it to gather open ports and operating 
> systems. 
>
> Happy Snorting!
>
> Nick
>
> On Mon, Mar 26, 2012 at 5:24 AM, Philip Edwards <phil.e () clara net> wrote:
>
>
> > Hello everybody,
> >
> > I've recently setup snort 2.9.2 on Ubuntu, and used oinkmaster to get the 2921 rules.
> > It runs fine in Daemon mode and the base interface is reporting alerts. The machine only currently has one NIC so 
> > i'm attempting to generate alerts from my laptop on the same network. I've tried ping flooding it and port scanning 
> > it but every alert is currently showing up as a "Community SIP TCP/IP message flooding directed to SIP proxy SID 
> > 100000160".
> >
> > Ive been led to believe that since i haven't tuned it yet these are false positives and will disappear when i have.
> > My question is why are portscans and ping floods showing up as the same thing and why none of the three SID's 
> > detected so far appear in the online database?
> >
> > Thanks
> >
> > Phil.
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> -- 
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore () sourcefire com
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
>
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
>
> www.sourcefire.com         www.snort.org     www.immunet.com
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!