Snort mailing list archives
RE: Log questions
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 14:01:14 +0300
Phil, the alerts you're seeing are caused by stream4 preprocessor. Stream4 does not care where a packet comes from and where it is going; it alerts every time it thinks a packet is somehow suspicious. I disabled stream4, and started to run stream4_reassemble with the 'noalert' option as I got tired with the false alarms. Yours, Jyri Information Security Specialist Tel: +358-41-448 3238 E-mail: jyri.hovila () iki fi Certifications: http://www.brainbench.com/transcript.jsp?pid=2301241 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Phil Sent: 6. elokuuta 2001 10:06 To: snort-users () lists sourceforge net Subject: [Snort-users] Log questions Snort users, I have some questions about my logs: For starters I have a directory under /var/log/snortlogs which is my own external IP address. Everything under the directory is one of the following two: Possible RETRANSMISSION detection [**] EVASIVE RST detection [**] I also have directories for INTERNAL addresses (hom_net is set to my external address while external_net is set to everythign else). I see how this is possible since it's not my home_net, but since I NAT everything with IPFilter, this seems strange. The internal address logs are for the same two things. So my 2 question are: 1. why are there so many of those two kinds of logs. Are they false alarms? Are they bugs? 2. why are my external address (which is HOME_NET) and even my internal NAT'd address getting in the logs. Thanks, Phil __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)