[Snort-users] Tweaking false positive alert

Lance Spitzner lance at ...185...
Sat Mar 10 12:54:38 EST 2001


Okay folks, how do I log this without alerting this
behavior?  My internal DNS server is generating ALOT 
of false alerts because it talks to and from port 53.  
So I get alot of these errors.

[**] MISC source port 53 to <1023 [**]

I want to do something like this, but it does not work.

alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)

I want to say, apply this alert to everything in my internal
network BUT my DNS server.  How do I do this functionality,
while keeping the alert-pass-log order?  

Words of wisdom?

-- 
Lance Spitzner
http://project.honeynet.org





More information about the Snort-users mailing list