[Snort-users] My Webservers Are Showing Up In My Alerts

matt mkettler at ...4108...
Thu Jun 13 17:32:03 EDT 2002


If I'm reading you right, you've fixed one problem, but still have a 
problem where it looks like your squid server is attacking other people's 
networks.

Have you tried modifying EXTERNAL_NET to not be "any" but instead be 
"!$HOME_NET" or "!$HTTP_SERVERS". If you're only interested in inbound 
attacks I'd highly recommend it as it will speed snort up, and kill this 
kind of false alert.

At 12:24 AM 6/14/2002 +0000, Vadim Pushkin wrote:
>I already did that, in fact I have this instead:
>
>alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy 
>\(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)
>
>The problem is that these are ALSO my proxy servers running
>Squid. As such, they are the spring broard into "other" peoples
>webservers. Because of this I get alot of WEB-cgi calendar,
>WEB-IIS scripts, etc to these machines. Should I add a "!"
>into ALL of my rules? I hope not :-)
>
>Thanks again,
>
>Vad





More information about the Snort-users mailing list