Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: next snort task

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 9 Sep 2009 12:25:50 -0600
HI Ron,

Filtering out false positives:
You can find the rule in a couple of ways. Here's what I do:

Determine what the rule SID is:

Cd into your snort etc directory were sig-msg.map is
grep "<rule description from base>" sid-msg.map

You can filter out false positives in a couple of ways depending on what you want to filter:


 1.  Filter the rule based on src or dst address/network using the threshold.conf file.
 2.  Comment out the rule in the rule file (although this doesn't work well with auto-updating rules I find.)
 3.  Utilize your rule update mechanism to comment out specific rules.  If you are using Oinkmaster you can specify 
with rule SIDs to disable (comment out) after doing an update.  Pulled Pork probably has a similar feature.  This is 
what I do with oinkmaster (haven't upgraded to Pulled Pork yet.)


Email:

Not sure what systems you have, but we have a central syslog server that can send emails based on specific criteria.  
If you have nothing like that, you will have to setup something on the Snort box itself to watch the syslog and send 
emails (Swatch like Joel suggested maybe?)

Hope that helps,
Shawn

________________________________
From: Ron Kaye Jr [mailto:rekaye1005 () verizon net]
Sent: Wednesday, September 09, 2009 11:02 AM
To: snort-users () lists sourceforge net
Cc: plug () lists phillylinux org
Subject: [Snort-users] next snort task

i am finally up and snorting away.
base engine with graphing is working fine.

1) i am finding alerts i am not interested in,
for example ...


MISC UPnP malformed advertisement
VOIP-SIP outbound 401 Unauthorized message protocol-command-decode
VOIP-SIP inbound 401 Unauthorized message protocol-command-decode

i want to filter them out.
not sure how- wouldnt know which rule file generated these messages, and if i did, how to do it.

2) i would like the alerts to go to my email.
i am a complete rookie here.
heard of sendmail, received a vague reference to postfix, but have no clue.
then have to send to an smtp relay server somewhere i'm guessin


Ron Kaye Jr
914-7294734

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: