[Snort-users] FAQ...

Christopher Cramer cec at ...68...
Fri Nov 17 08:47:20 EST 2000


Here are some answers to your questions:

1.  Some of the interpretation is up to you.  The default snort.conf rules
check for many, many odd things, not necessarily evil, just
unusual.  Example, there is a rule warning of telnet connections.  Well,
telnet isn't great, and people shouldn't use it, but it doesn't mean your
network is under attack.  

To help w/ all of this, I would suggest installing one of the log parsing
tools.  We use snortsnarf.  It generates html pages summarizing the
different alerts.  Where possible, it also links to www.whitehats.com for
an explanation of the particular alert.

2. "var DNSSERVERS dns1.domain.tld dns3.domain.tld"
followed by: "preprocessor portscan-ignorehosts: DNSSERVERS" won't
work.  It turns out that this is a subtle flaw in the rule parsing
mechanisms.  Instead, use the statement: 
"preprocessor portscan-ignorehosts: dns1.domain.tld

This should ignore those hosts.  

I hope this helps.  If you need some clarification, let me know.


Dr. Christopher E. Cramer
Assistant Research Professor
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...

On Fri, 17 Nov 2000, Christoph Ganser wrote:

> hi 
> i am new to this list.
> i have newly installed snort on a box checking a 512kb link. in a few day
> we are goning to have a 10mb link.
> as i am new to snort i just used all rules in the snort db. now i have
> many many massages. 
> my questions:
> 1. do you know a document, witch is going to help me to interpret all
> these
> messages? what is harmless and witch messages not. 
> 2. i get many port scan messages from the dns-servers. i read somewhere,
> that i can set a dnsservers variable in the rules file.
> something like 
> var DNSSERVERS dns1.domain.tld dns3.domain.tld
> but it didn't help much. what is wrong?
> thanks and bye
> christoph
> --
> Christoph Ganser
> Zuerich, Switzerland
> PGP http://www.uplink.ethz.ch/~chganser/pgp_keys.asc
> Mobile: +41 76 580 72 90
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list