[Snort-users] My Webservers Are Showing Up In My Alerts

Muhammad Faisal Rauf Danka mfrd at ...6006...
Thu Jun 13 21:49:02 EDT 2002


It's probably because your snort is listening on a non filtered/firewalled interface. 
The attempts are real, but it's not necessary that they were all successful. If you know for sure that your webservers are apache and can noway contain cmd.exe ( and even if they do, its useless on a linux box ) ;) , then you can very well comment out the cmd rules.
You cannot call them false positives. I mean ppl are probing you to intrude in your network and you should be aware of it. 
That's why you're using snort right? So It's happening, you're knowing who'se trying to intrude you. =)

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Vadim Pushkin" <wiskbroom at ...125...> wrote:
>Greetings Fellowes;
>
>My snort.conf has the following entries:
>
>var HTTP_SERVERS 
>[192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32]
>
># Above is all on one line
>
>var HTTP_SERVERS_PORT 8080
>
>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>
>I am getting ALOT of alerts for these as either source or dest.
>How can I prevent this?
>
>Thank you kindly,
>
>-vadim
>Vadim (Ukranian Stallion) Pushkin

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email at ...6007... by Everyone.net  http://www.everyone.net/?btn=tag




More information about the Snort-users mailing list