Snort mailing list archives
Re: false alarm with snort 2.0, why?
From: Holger Marzen <holger () marzen de>
Date: Tue, 29 Apr 2003 09:07:44 +0200 (CEST)
On Mon, 28 Apr 2003, Matt Kettler wrote:
You included some details of the packet, but you skipped including any details of the alert.
These were the complete contents of the alert log. That's why it's so difficult to find out why snort logs them.
Which rule or preprocessor is generating the alert/log?
I am afraid "core" snort. The "log" rules.
did you start snort with the -o parameter?
Snort is started with /usr/local/bin/snort -dev -D -A full -c /etc/snort/snort.conf snort.conf looks like ... var WEB <ip-addr> var IDS <ip-addr> [...] preprocessor http_decode: 80 8080 pass tcp $WEB any <> $DB 5000 pass tcp $IDS any <> $MAIL 1984 pass tcp any any <> $MAIL 80 [...] pass icmp any any <> any any [...] log tcp any any <> any any (logto:"important.log";) log udp any any <> any any (logto:"important.log";) log icmp any any <> any any (logto:"important.log";) It's the file important.log that contains very few messages that usually gets "pass"ed by a pass rule. These connections occur every 2 minutes, but only a couple per day are logged (not all the packets!), and only the response packets of tcp-connections from the snort machine to another. And only if the ephemeral local port is 3306. Very strange. -- PGP/GPG Key-ID: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false alarm with snort 2.0, why? Holger Marzen (Apr 28)
- <Possible follow-ups>
- Re: false alarm with snort 2.0, why? Matt Kettler (Apr 28)
- Re: false alarm with snort 2.0, why? Holger Marzen (Apr 29)