[Snort-users] My Webservers Are Showing Up In My Alerts

Muhammad Faisal Rauf Danka mfrd at ...6006...
Thu Jun 13 21:49:02 EDT 2002

It's probably because your snort is listening on a non filtered/firewalled interface. 
The attempts are real, but it's not necessary that they were all successful. If you know for sure that your webservers are apache and can noway contain cmd.exe ( and even if they do, its useless on a linux box ) ;) , then you can very well comment out the cmd rules.
You cannot call them false positives. I mean ppl are probing you to intrude in your network and you should be aware of it. 
That's why you're using snort right? So It's happening, you're knowing who'se trying to intrude you. =)

Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk

--- "Vadim Pushkin" <wiskbroom at ...125...> wrote:
>Greetings Fellowes;
>My snort.conf has the following entries:
># Above is all on one line
>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>I am getting ALOT of alerts for these as either source or dest.
>How can I prevent this?
>Thank you kindly,
>Vadim (Ukranian Stallion) Pushkin


Promote your group and strengthen ties to your members with email at ...6007... by Everyone.net  http://www.everyone.net/?btn=tag

More information about the Snort-users mailing list