[Snort-users] UDP Alerts

Frank Reid fcreid at ...691...
Sun Jan 13 05:37:05 EST 2002


I suspected there was a differing definition for "authentication" being used
during the discussion!

On an unrelated note, is anyone (everyone) seeing streaming media sources
(Akamai, RealMedia, AOL and others) trigger the "BAD-TRAFFIC udp port 0"
alert?  I have to disable that alert manually on each update as a result.
Is there ever a case where one must watch this traffic for surreptitious
activity?

Frank

-----Original Message-----
From: Saad Kadhi [mailto:bsdguy at ...4401...]
Sent: Sunday, January 13, 2002 8:18 AM
To: Frank Reid
Cc: Snort Users; kamesh_rajaram at ...4543...
Subject: RE: [Snort-users] Patch for ACID....!!


On Sun, 2002-01-13 at 14:01, Frank Reid wrote:
> It could be a useful feature to have both an "anonymous" and
"administrator"
> (authenticated) mode on ACID.  The anonymous user would be allowed to
> search/display alerts, graph data, etc., but not delete, archive, etc.  In
> fact, it would be great to support granular accounts in both ACID and
> Demarc, probably associated with specified database criteria such as the
> alert type, address space, etc.  So, if "User X" is associated with
address
> 1.2.3.0/24 and has non-administrative permissions (no delete), "User X" is
> only able to query within those bounds after authenticating.  "User Y" is
a
> website administrator, so he only has non-administrative permissions for
> 1.2.3.4/32 and only for alerts WEB-IIS, WEB-MISC, etc.
Now I got the picture. I thought it was just a need to authenticate
access to the acid subdir. My sincere apologies to kamesh for such a
misunderstanding.

Regards.






More information about the Snort-users mailing list