[Snort-users] false positive + NAT

Frederic Lemoine Frederic.Lemoine at ...3452...
Mon Sep 17 06:13:10 EDT 2001


We do network address translation (hide mode) on the firewall.

I have a lot of alerts like 

WEB-MISC http directory traversal
WEB-MISC ultraboard access
WEB-MISC whisker head

source IP		: our firewall, high ports
destination IP	: web sites, port 80

This is obviously the traffic back to the web servers, firstly originated by
our users from the Internal LAN.

I am wondering how not to log this kind of traffic, and why does snort
identify this as an attempt.


More information about the Snort-users mailing list