Snort mailing list archives
about false alarm.
From: "SW" <samwun () onebb net>
Date: Sat, 14 Sep 2002 11:38:43 +0800
hi, I want to remove the alarm when my internal ip addr reached the esternal public IP addr. How can I do that in Snort? eg: [**] [1:1560:4] WEB-MISC /doc/ access [**] [Classification: \x808-] [Priority: 2] 09/14/02-11:39:45.517755 192.168.1.5:1306 -> 198.133.219.25:80 TCP TTL:128 TOS:0x0 ID:12417 IpLen:20 DgmLen:377 DF ***AP*** Seq: 0x51E7E0FD Ack: 0x226C2FBE Win: 0xFBB8 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678] [Xref => http://www.securityfocus.com/bid/318] I don't think this is a valid alarm, it is false possitive, isn't it? hwo can I stop snort for logging these alrm? And I also dont[ know why the Classification has Hex as its name. Thanks Sam
Current thread:
- snort not starting from cron JB (Sep 09)
- Re: snort not starting from cron Erek Adams (Sep 09)
- Re: snort not starting from cron twig les (Sep 09)
- about false alarm. SW (Sep 13)