[Snort-sigs] quick question about Snort + ACID on FreeBSD

Irwan Hadi irwanhadi at ...1830...
Tue Sep 2 05:53:01 EDT 2003


On Tue, Sep 02, 2003 at 01:13:08AM -0400, <-delusion-> wrote:

> Hi, I just set up SNORT on my network, i have it logging to a MySQL database, and i got ACID so that i can view the alerts easily. One problem i am having is that it logs traffic from my network, which i dont want. How can i turn this off? Acid has like 500+ alerts already from one of my windows boxes saying this..
> 
>    [snort] SCAN UPNP service discover attempt       2003-08-31 19:27:15       192.168.0.91:1040       192.168.0.1:1900       UDP    
> 
> And their all the same from the same ip, and same type of sig.
> 
> Another thing is, i dont think its been properly setup or something, because its not logging much.. Its been running for the past 4 days, I've been connected all the time, and it only logged the local traffic, and some ICMP traffic. I got 0% TCP, 93% UDP, and 7% ICMP. Theres only like 30 ICMP alerts, and they seem pretty harmless. I am expecting alot more alerts to come in, since im always-on.

Is it connected to a switch? If it so, read FAQ 1.8
http://www.snort.org/docs/FAQ.txt




More information about the Snort-sigs mailing list