[Snort-users] Same source/dest

Keg snrtlst at ...2792...
Tue Apr 1 13:27:10 EST 2003


I have disable 'bad traffic same src/dst' in bad-traffic rules but I 
just want to check with you my thoughts on that.
I was receiving a lot of those on port 25 for public ip and dmz ip of my 
mail server. My guess at this poitn is that the snort rule is triggered 
because each time mail is received or even ident lookup is done the 
traffic is passed between NATed ip and source ip of the mail sevrer, 
this in turn triggers the rule. That's why I disabled it (I was having 
 new entry each second in Acid, you can guess how fast the database will 
be populated with those errors)
I just want to hear your opinion on that.....probably I shouldn't have 
done that?
-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/





More information about the Snort-users mailing list