[Snort-users] Tweaking false positive alert
lance at ...185...
Sat Mar 10 12:54:38 EST 2001
Okay folks, how do I log this without alerting this
behavior? My internal DNS server is generating ALOT
of false alerts because it talks to and from port 53.
So I get alot of these errors.
[**] MISC source port 53 to <1023 [**]
I want to do something like this, but it does not work.
alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
I want to say, apply this alert to everything in my internal
network BUT my DNS server. How do I do this functionality,
while keeping the alert-pass-log order?
Words of wisdom?
More information about the Snort-users