Snort mailing list archives

Re: HELP!

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 9 Nov 2001 11:52:25 -0800 (PST)

On Fri, 9 Nov 2001, Noah Silverman wrote:

I tried this, It DOES stop the portscan report, BUT I still get logging from
my DNS IP and entries in the alert log file.

I am also getting entries from the IP of my machine.  I DO have my home IP
set correctly.


Noah,

        IMHO, if you are getting alerts that you think you shouldn't, the very
first thing to do is to find out 'Why?'.  Forget about disabling anything and
concentrate on the traffic that is being alerted on.  IOW, check out the
packet dumps.  See if it _is_ legitimate traffic.  It may not be!  Don't just
assume your HOME_NET is a perfectly secured place!  :)

        You may want to use a pass rule to allow traffic that is valid to be
passed with no alert.  If you do this, be very, very careful.  One badly
written pass rule can mess up your whole day!  You'll want to use the '-o'
option for that....  Be warned that since snort does the 'match, then exit' if
the pass rule matches, it will quit checking for alerts.  That can be bad if
you have a pass rule that allows anything to come in!

        What types of alerts are being logged into the alert file from your
other boxes?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HELP! Noah Silverman (Nov 09)
- Re: HELP! Guillaume (Nov 09)
  - Re: HELP! Noah Silverman (Nov 09)
    - Re: HELP! Erek Adams (Nov 09)
- <Possible follow-ups>
- Re: HELP! Susan Kay Coulter (Nov 09)