[Snort-users] about false alarm.

SW samwun at ...6596...
Fri Sep 13 20:40:01 EDT 2002


hi,

I want to remove the alarm when my internal ip addr reached the esternal public IP addr. How can I do that in Snort?
eg:

[**] [1:1560:4] WEB-MISC /doc/ access [**]
[Classification: \x808-] [Priority: 2]
09/14/02-11:39:45.517755 192.168.1.5:1306 -> 198.133.219.25:80
TCP TTL:128 TOS:0x0 ID:12417 IpLen:20 DgmLen:377 DF
***AP*** Seq: 0x51E7E0FD  Ack: 0x226C2FBE  Win: 0xFBB8  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678]
[Xref => http://www.securityfocus.com/bid/318]

I don't think this is a valid alarm, it is false possitive, isn't it? hwo can I stop snort for logging these alrm?
And I also dont[ know why the Classification has Hex as its name.

Thanks
Sam



More information about the Snort-users mailing list