[Snort-users] Tweaking false positive alert

Max Vision vision at ...4...
Sat Mar 10 13:33:54 EST 2001


As a last resort you could always whip up a pcap expression to exclude the
host, just append to the snort command line. Maybe something like:

 snort <blah options go here> '!(host ns.example.com && src port 53)'

There might be something more elegant to be done within Snort but I can't
think of it right now if there is :)

Max

On Sat, 10 Mar 2001, Lance Spitzner wrote:
> Okay folks, how do I log this without alerting this
> behavior?  My internal DNS server is generating ALOT
> of false alerts because it talks to and from port 53.
> So I get alot of these errors.
>
> [**] MISC source port 53 to <1023 [**]
>
> I want to do something like this, but it does not work.
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
>
> I want to say, apply this alert to everything in my internal
> network BUT my DNS server.  How do I do this functionality,
> while keeping the alert-pass-log order?
>
> Words of wisdom?
>
> --
> Lance Spitzner
> http://project.honeynet.org
>





More information about the Snort-users mailing list