[Snort-users] HELP!

Erek Adams erek at ...577...
Fri Nov 9 11:53:02 EST 2001


On Fri, 9 Nov 2001, Noah Silverman wrote:

> I tried this, It DOES stop the portscan report, BUT I still get logging from
> my DNS IP and entries in the alert log file.
>
> I am also getting entries from the IP of my machine.  I DO have my home IP
> set correctly.

Noah,

	IMHO, if you are getting alerts that you think you shouldn't, the very
first thing to do is to find out 'Why?'.  Forget about disabling anything and
concentrate on the traffic that is being alerted on.  IOW, check out the
packet dumps.  See if it _is_ legitimate traffic.  It may not be!  Don't just
assume your HOME_NET is a perfectly secured place!  :)

	You may want to use a pass rule to allow traffic that is valid to be
passed with no alert.  If you do this, be very, very careful.  One badly
written pass rule can mess up your whole day!  You'll want to use the '-o'
option for that....  Be warned that since snort does the 'match, then exit' if
the pass rule matches, it will quit checking for alerts.  That can be bad if
you have a pass rule that allows anything to come in!

	What types of alerts are being logged into the alert file from your
other boxes?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list