Snort mailing list archives
RE: Is this right one?
From: Peter Rodger <prodger2008 () yahoo com>
Date: Fri, 28 Oct 2005 11:59:01 -0700 (PDT)
Why I did not get any alert is because I got an error. If I commented out sfportscan, I got an error "Unknown rule type: memcap" if I run from comnand snort -c -l and I even could not start the snort service. After I uncomment the sfportscan, I have no problem with -c -l and the service can be restarted. (I followd the doc on the winsnort to install snort as a service) what am I missing? Thanks, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:
You won't get any portscan alerts if you comment out, and thus do not run, sfportscan. You should still get http_inspect alerts if you have not suppressed them. Bruce -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: Wednesday, October 26, 2005 10:22 AM To: Briggs, Bruce; s Subject: RE: [Snort-users] Is this right one? Bruce, Thank you. If I commented #preprocessor sfportscan, i got no alert at all. Is this normal? BTW, how do I find out the dropped packets from BASE console? (I have a Winsnort on windows 2003, MSSQL and BASE ocnsole)Currently, the snort box is palced inside firewall and I span the PIX port to the snort monitoring port. (I access it from manager interface on another NIC of the Snort box) Any suggestions? Peter -- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:The downside is that you don't get alerts of possible port scans. Too much noise for my setup and not enough control over tuning the portscan alerts for me. Bruce -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: Tuesday, October 25, 2005 12:46 PM To: Briggs, Bruce; s Subject: RE: [Snort-users] Is this right one? Bruce, Thanks for your help as always. Currently, I did the same thing and comment out portscan in the snort.conf. I do not know what's the downside about this? I am getting too much inerest in snort and try to learn as a baby. Please forgive my newbabie questions. Thank you, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:suppress gen_id 119, sig_id 4 works for me. I don't run portscan, so I've not tried suppressonthose alerts. Bruce -----Original Message----- From: Peter Rodger[mailto:prodger2008 () yahoo com]Sent: Tuesday, October 25, 2005 12:07 PM To: Briggs, Bruce; Eric Maheo; s Subject: RE: [Snort-users] Is this right one? Hi, Thanks for your help and it works (onlymonitoringexchange servers' traffic) . I still could not figure out why this one doesnotwork as posted before: snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassified [snort] (http_inspect) BARE BYTE UNICODEENCODINGI have attempted to suppress these alerts in my snort.conf file like the following: suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 19 suppress gen_id 119, sig_id 4 Could it be too much traffic that overkill thesnortbox and can not process suppress as indicated above?? Currently, the snort box is palced insidefirewalland I span the PIX port to the snort monitoringport.Please give me some suggestions and hints.ShouldIbuy taps? Thanks as always, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu>wrote:The format should be: suppress gen_id 1, sig_id 1070 Make sure that you have an uncommentedincludeonsnort.conf for threshold.conf. Also you could comment out sid_id 1070 in web-misc.rules Many use oinkmaster to automatically updatenewSnort sigs and keep mods to their Snort rules. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net]OnBehalf Of Peter Rodger Sent: Tuesday, October 25, 2005 10:35 AM To: s Subject: [Snort-users] Is this right one? Hi all, I try to suppress this one event . WEB-MISC WebDAV search access I added suppress sid_id 1070 in thethreshold.conf.Is this right? Thanks, Peter __________________________________ Yahoo! FareChase: Search multiple travel sitesinone click. http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBossInc.Get Certified Today * Register for a JBossTrainingCourse Free Certification Exam for All TrainingAttendeesThrough End of 2005 Visithttp://www.jboss.com/services/certificationfor more information_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
=== message truncated === __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this right one? Peter Rodger (Oct 25)
- <Possible follow-ups>
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? (one correction) Peter Rodger (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 26)
- RE: Is this right one? Peter Rodger (Oct 28)