[Snort-users] Tweaking false positive alert

Martin Roesch roesch at ...421...
Mon Mar 12 01:38:57 EST 2001


What did you set $EXTERNAL_NET to?  Looks like it's set to 'any'. 
Anway, try this:

alert udp [$EXTERNAL_NET,!192.168.1.10/32] 53 -> $HOME_NET :1023 (yadda
yadda;)

   -Marty

Lance Spitzner wrote:
> 
> Okay folks, how do I log this without alerting this
> behavior?  My internal DNS server is generating ALOT
> of false alerts because it talks to and from port 53.
> So I get alot of these errors.
> 
> [**] MISC source port 53 to <1023 [**]
> 
> I want to do something like this, but it does not work.
> 
> alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
> 
> I want to say, apply this alert to everything in my internal
> network BUT my DNS server.  How do I do this functionality,
> while keeping the alert-pass-log order?
> 
> Words of wisdom?
> 
> --
> Lance Spitzner
> http://project.honeynet.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list