Snort mailing list archives
RE: Thresholding and suppression
From: "Lance Boon" <lboon () firststatebanksw com>
Date: Fri, 15 Oct 2004 09:51:17 -0500
I think I've figured out the problem, I set the var TELNET_SERVERS $HOME_NET then setup snort to log to a tcpdump file with just sid 716 enabled and it's logging the way that I want it to now. I guess I was misunderstanding about using the var WHATEVER_SERVERS portion. Correct me if I'm wrong but if you specify an ip in there snort will only look for attacks going to that specific ip address. Now if I wanted to see if anybody was using telnet or whatever I should have that set for var WHATEVER_SERVERS $HOME_NET? Also it looks like you are right on that jetdirect box as well, I had to enable a telnet server on a 2003 server to get this rule to fire. Thanks for the help.. That rule actually gets triggered upon seeing a specific response from a Telnet server. Your jet direct box may not be using a standard telnet server, so it doesn't respond in a way that the rule is expecting.
I've run into something strange when using the threshold.conf file, if
I
try to: suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x all alerts that are generated for telnet access to that specific ip address are suppressed as expected, but if I try to telnet to a jet direct box I would think that alerts should be generated for that sig
as
the ip addressis different but I don't see any alerts generated... Everything else is working correctly I'm using snort 2.2/latest ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x] Am I just missing something?
Attachment:
smime.p7s
Description:
Current thread:
- RE: Thresholding and suppression Lance Boon (Oct 15)
- <Possible follow-ups>
- Thresholding and suppression Lance Boon (Oct 15)
- Re: Thresholding and suppression sekure (Oct 15)
- Re: Thresholding and suppression Paul Schmehl (Oct 15)