Snort mailing list archives
Re: help with file bpf and ip 0.0.0.0
From: hernani coelho <hernani_coelho () msn com>
Date: Wed, 20 Jan 2016 17:24:12 +0000
how i don't know where to put to stop alerts i put every where hernani On 20-01-2016 17:13, Al Lewis (allewi) wrote:
Maybe I missed it but why are you using 0.0.0.0/8 in your home_net again? Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:*hernani coelho [mailto:hernani_coelho () msn com] *Sent:* Wednesday, January 20, 2016 12:03 PM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] help with file bpf and ip 0.0.0.0 now i see if i search an web page snort give me alerts like this -->#0-(1-7731) <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>[snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE REQUEST-URI DIRECTORY2016-01-20 16:59:34192.168.1.66 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:5751495.172.94.15 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80TCP is safe to ignore port 80?? thanks hernani On 20-01-2016 16:52, hernani coelho wrote: sorry false alert :) alerts still there i shutdown mldonkey alerts show protocol is ip can someone help me?? #1-(1-7660) <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7660%29&sort_order=> [snort <http://www.snort.org/search/sid/129-15>] stream5: Reset outside window 2016-01-20 16:46:57 64.4.8.0 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32> 0.0.0.0 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32> IP On 20-01-2016 13:58, hernani coelho wrote: i have same progress i think is program mldonkey for linux he have ip to 0.0.0.0, i change to 127.0.0.1 for now alerts stop thanks hernani On 20-01-2016 12:29, hernani coelho wrote: #1-(1-7332) <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7332%29&sort_order=> [snort <http://www.snort.org/search/sid/129-15>] stream5: Reset outside window 2016-01-20 12:15:53 64.4.8.0 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32> 0.0.0.0 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32> i put filter snort.conf ipvar HOME_NET [192.168.1.66/24,0.0.0.0/8] ipvar EXTERNAL_NET any i now put in /etc/snort/threshold.conf -- src ip 0.0.0.0/8 and works but not for 64.4.8.0 for dst ip 0.0.0.0/8 don't work thanks hernani On 20-01-2016 11:54, James Lay wrote: What are the alerts (post sample), where did you put the filter at (snort.conf or command line), and what are your HOME_NET and EXTERNAL_NET set to? James On Wed, 2016-01-20 at 09:44 +0000, hernani coelho wrote: nobody can help me?? On 18-01-2016 10:47, hernani coelho wrote: > hello, > > i install snort and work but i receive much alerts from ip 0.0.0.0 , i > put in file BPF this --> > > not ( ip host (192.168.1.66 or 0.0.0.0)) > > for the first ip it work but for ip 0.0.0.0 no work i receive much > alerts. > > what can i do to ignore alerts from ip 0.0.0.0 > > can someone help me?? > > thanks > > hernani ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help with file bpf and ip 0.0.0.0 hernani coelho (Jan 18)
- <Possible follow-ups>
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 James Lay (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 James Lay (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Feb 12)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Feb 12)