[Snort-users] false positive + NAT
Frederic.Lemoine at ...3452...
Mon Sep 17 06:13:10 EDT 2001
We do network address translation (hide mode) on the firewall.
I have a lot of alerts like
WEB-MISC http directory traversal
WEB-MISC ultraboard access
WEB-MISC whisker head
source IP : our firewall, high ports
destination IP : web sites, port 80
This is obviously the traffic back to the web servers, firstly originated by
our users from the Internal LAN.
I am wondering how not to log this kind of traffic, and why does snort
identify this as an attempt.
More information about the Snort-users