Re: false alarm with snort 2.0, why?

[Holger Marzen <holger () marzen de>]

On Mon, 28 Apr 2003, Matt Kettler wrote:

> You included some details of the packet, but you skipped including any
> details of the alert.

These were the complete contents of the alert log. That's why it's so
difficult to find out why snort logs them.

> Which rule or preprocessor is generating the alert/log?

I am afraid "core" snort. The "log" rules.

> did you start snort with the -o parameter?

Snort is started with

/usr/local/bin/snort -dev -D -A full -c /etc/snort/snort.conf

snort.conf looks like ...

var WEB <ip-addr>
var IDS <ip-addr>
[...]
preprocessor http_decode: 80 8080
pass tcp $WEB any <> $DB 5000
pass tcp $IDS any <> $MAIL 1984
pass tcp any  any <> $MAIL 80
[...]
pass icmp any any <> any any
[...]
log tcp any any <> any any  (logto:"important.log";)
log udp any any <> any any  (logto:"important.log";)
log icmp any any <> any any (logto:"important.log";)

It's the file important.log that contains very few messages that usually
gets "pass"ed by a pass rule. These connections occur every 2 minutes,
but only a couple per day are logged (not all the packets!), and only
the response packets of tcp-connections from the snort machine to
another. And only if the ephemeral local port is 3306. Very strange.

-- 
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users