[Snort-users] snort filter

Erek Adams erek at ...577...
Wed Sep 26 13:32:01 EDT 2001


On Wed, 26 Sep 2001, Eduard Meiler wrote:

> after installing snort I get a lot of these messages about the traffic: Make
> it sense to disable this function, or is there a way to filter the
> unnecessary information ??

It depends.

> Sep 26 21:00:00 wall snort: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 193.141.40.1:53 -> 192.168.7.200:53

Consider the source and destination.  Source was from xlink1.xlink.net which
is a DNS server.  Desitnation was a private net.  Now if that internal machine
made a DNS query then this might be normal, seeing as you can specify the port
to connect back on in the BIND configs.

Is that one of the DNS servers you use?  If not, then something might be up.
If so, build a pass rule for it if needed, the use the -o switch to swap the
order of the rules.

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list