Re: Confused about rules and logs

[Richard Bejtlich <richard_bejtlich () yahoo com>]

b311b wrote:

I'm running snort version 1.7 on a NetBSD Firewall.  

--

I strongly recommend you upgrade to a version of Snort
not found in the www.snort.org/dl/do_not_use/
directory.  The version you are running is vulnerable
to several exploits.
(www.cert.org/advisories/CA-2003-13.html)

Don't feel too badly about your spp_portscan alerts. 
You can't solve the issue for the same reason we can't
-- you only have alert data on hand.  Alert data is
rarely sufficient on its own.  You need to augment
alert data from Snort with full content and/or session
data.  

For full content data, I recommend using Ethereal
(www.ethereal.com); watch for UDP traffic from
192.168.2.252.  If you're on a really busy network and
want a bigger picture view, use Argus
(www.qosient.com/argus) to collect session data. 
Watch for sessions involving 192.168.2.252.

Remember Snort alerts are only indicators.  They are
the start of an investigation, not the end.  It's the
same for every IDS.

If you need help deciphering what you see, post a
trace here.

Sincerely,

Richard
http://www.taosecurity.com


        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users