Snort mailing list archives
Viewing detail logs causes secondary false positive.
From: "R. Anthony Kolstee" <tkolstee () manyroads com>
Date: 01 Jul 2002 00:22:46 -0400
I run both SnortReport and ACID on my snort logs, and have experienced an interesting phenomena with both. Pardon me if this is in TFM somewhere... When viewing the detailed logs including payload data on an alert, I've found that the content revealed in the payload usually causes a secondary alert to occur. Obviously the content of the payload being viewed is going to contain the original string that caused the IDS to alert in the first place, but has anyone found a reliable way around this? My only thought at the moment is to use SSL on the web browser when viewing these reports; does anyone else have a better way around this that isn't immediately apparent to me? Note that I can't make the console immune or invisible to alerts on port 80, because the box in question is a collocated web server and as such is self-contained.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Viewing detail logs causes secondary false positive. R. Anthony Kolstee (Jul 01)