[Snort-users] Tweaking false positive alert
vision at ...4...
Sat Mar 10 13:33:54 EST 2001
As a last resort you could always whip up a pcap expression to exclude the
host, just append to the snort command line. Maybe something like:
snort <blah options go here> '!(host ns.example.com && src port 53)'
There might be something more elegant to be done within Snort but I can't
think of it right now if there is :)
On Sat, 10 Mar 2001, Lance Spitzner wrote:
> Okay folks, how do I log this without alerting this
> behavior? My internal DNS server is generating ALOT
> of false alerts because it talks to and from port 53.
> So I get alot of these errors.
> [**] MISC source port 53 to <1023 [**]
> I want to do something like this, but it does not work.
> alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
> I want to say, apply this alert to everything in my internal
> network BUT my DNS server. How do I do this functionality,
> while keeping the alert-pass-log order?
> Words of wisdom?
> Lance Spitzner
More information about the Snort-users