[Snort-users] Too many alerts
j.weber at ...8292...
Mon Apr 7 02:59:03 EDT 2003
> These I believe are false postives but I want them to STOP.
> Please help me in stopping these. Ofcourse I don't want to unload the rules therefore any other solution is welcome.
First, I'd suggest you trim down your rulebase and check for rules you
really want. That's not only good for speed (more rules->slower snort)
but it's also essential for the understanding process ;)
Having said that, there are several things you could do.
One is to comment out the rules which are getting triggered too often.
The other is to write a PASS rule for hosts which trigger the rules but
are false positives. Or you use BPF to ignore the offending host. Look
at  and  for more info about that please.
I'd also check out  for some general comments about rules & which
ones to include/exclude.
> The messages are:
> "SCAN UPNP service discover attempt"
> "nessus MISC xdmcp info query" (I think I know this because I use cygwin XWin.exe to connect to this server over X and this started after using this)
> "X11 MIT Magic Cookie detected" (probably because of the same reason above...XDM)...
Yup, pretty likely. You'r triggering the rules yourself. If you've an x-server inhouse, then you might want to tune your rulebase anyways, as you prolly do not care for every connection to your x-server, do you now? ;)
T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
E: j.weber at ...8292...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-users