Snort config question

["Chris W." <guamchris () yahoo com>]

Hello everyone,

Before I begin, this is my configuration:

System #1

OS: Windows XP Pro
Snort 1.8.2 
MySql 
Acid 

System #2

OS: Windows XP Pro
Snort 1.8.2
ZoneAlarm
BlackIce

On both systems:

var HOME_NET any
var EXTERNAL_NET any

Both systems are connected to a LinkSys BEFSR41 router which is
connected to my cable modem.  I have system #2 configured to dump the
alerts to the MySql database on the first system.  It seems to be
working with one exception:  BlackIce is registering a frequent number
of HTTP port probes (4-5 per hour) and even a few subSeven probes.
However, neither of these shows up as alerts on Snort.  I have run
NmapNT against System #2 to verify that snort is functioning on that
machine.

This is my first attempt at running Snort so I am running all rules
except:

# include c:\snort\rules\shellcode.rules
# include c:\snort\rules\policy.rules
# include c:\snort\rules\porn.rules
# include c:\snort\rules\icmp-info.rules

Am I missing something here or is BlackIce showing me some false hits?
I've tried running without BI but the result was the same.  I'm running
a small mail server on System #2 so it has a number of ports open to it
but I have yet to see a single alert from outside my network.  (On
either machine)

Any suggestions will be greatly appreciated!

Chris Wilson



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users