Re: SNORT daily report

[Ian Bowers <iggdawg () gmail com>]

Because of the way dynamic NAT/PAT works, often times you'll see false
positives for certain services that just happen to get NAT'd to a port
which a well known service runs on.  Technically even the low ports are
fair game for dynamic port translation.  So you end up with DNS or TFTP
sigs firing on P2P transfers or something unrelated.  There are numerous
scenarios that can result in these kinds of false positives.  The need
for investigation is what makes IDS so interesting, and on the same token
makes it almost impossible to automate.

I think ultimately your concern is related more to signatures than the
Snort application itself.

Regards,
-Ian

On Sun, Jul 15, 2012 at 6:31 PM, Maneesh Patel <mnshptl32 () gmail com> wrote:

> I am running an apache2 server on Ubuntu 10.04 (with ssh also
> running).  I recently installed snort.  I apologize for this
> elementary question, but I am having trouble understanding the daily
> report e-mailed by snort.  There are various lines such as
>
>   COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
>   (ftp_telnet) FTP traffic encrypted
>
> some to my IP address, some from it.  I would like to know what I
> should be looking out for, which lines in the report are innocuous and
> which might require some countermeasures.  The snort man page does not
> shed light on this, as far as I can tell.  Can someone please direct
> me to some documentation that clarifies the daily report?
>
> Maneesh
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!