Snort mailing list archives

about false alarm.

From: "SW" <samwun () onebb net>
Date: Sat, 14 Sep 2002 11:38:43 +0800

hi,

I want to remove the alarm when my internal ip addr reached the esternal public IP addr. How can I do that in Snort?
eg:

[**] [1:1560:4] WEB-MISC /doc/ access [**]
[Classification: \x808-] [Priority: 2]
09/14/02-11:39:45.517755 192.168.1.5:1306 -> 198.133.219.25:80
TCP TTL:128 TOS:0x0 ID:12417 IpLen:20 DgmLen:377 DF
***AP*** Seq: 0x51E7E0FD  Ack: 0x226C2FBE  Win: 0xFBB8  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678]
[Xref => http://www.securityfocus.com/bid/318]

I don't think this is a valid alarm, it is false possitive, isn't it? hwo can I stop snort for logging these alrm?
And I also dont[ know why the Classification has Hex as its name.

Thanks
Sam

Current thread:

snort not starting from cron JB (Sep 09)
- Re: snort not starting from cron Erek Adams (Sep 09)
- Re: snort not starting from cron twig les (Sep 09)
  - about false alarm. SW (Sep 13)