Re: Too much of snort events

["Al Lewis (allewi)" <allewi () cisco com>]

Those are preprocessor events for Stream5 (GID:129). See the preprocessor.rules file. You can disable them there if you 
like.

Have you setup your home_net and external_net variables correctly?


Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Oleg Makarov [mailto:oamakarov () platbox com]
Sent: Thursday, May 12, 2016 7:26 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Too much of snort events

Hi guys!
Please give me an advice, sorry I'm a newbie here.
So I have Snort+Barnyard2+PulledPork+Aanval (as web siem)
It works correctly. I found a lot of alerts with gen_id 129, sig_id 12 and gen_id 129, sig_id 4 and suppress them (it's 
not informative). I found them in Aanval and it's trying to upload whole mysql DB.
But there are still too much alerts  ~ 30events per second and it's nearly 800k events per day.
How can I more understand what are the events generating ?
Thanks.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!