[Snort-users] Too many alerts

Joerg Weber j.weber at ...8292...
Mon Apr 7 02:59:03 EDT 2003

Hi there,

> These I believe are false postives but I want them to STOP.
>  Please help me in stopping these. Ofcourse I don't want to unload the rules therefore any other solution is welcome.
First, I'd suggest you trim down your rulebase and check for rules you
really want. That's not only good for speed (more rules->slower snort)
but it's also essential for the understanding process ;)

Having said that, there are several things you could do.
One is to comment out the rules which are getting triggered too often.
The other is to write a PASS rule for hosts which trigger the rules but
are false positives. Or you use BPF to ignore the offending host. Look
at [0] and [1] for more info about that please.

I'd also check out [2] for some general comments about rules & which
ones to include/exclude.

> The messages are:
> "SCAN UPNP service discover attempt"
> "nessus MISC xdmcp info query" (I think I know this because I use cygwin XWin.exe to connect to this server over X and this started after using this)
> "X11 MIT Magic Cookie detected" (probably because of the same reason above...XDM)...
Yup, pretty likely. You'r triggering the rules yourself. If you've an x-server inhouse, then you might want to tune your rulebase anyways, as you prolly do not care for every connection to your x-server, do you now? ;)



[0] http://www.theadamsfamily.net/~erek/snort/ignore.txt
[1] http://marc.theaimsgroup.com/?l=snort-users&m=103582526626496&w=2
[2] http://marc.theaimsgroup.com/?l=snort-users&m=101967600523591&w=2

Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
E: j.weber at ...8292...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/205f3661/attachment.sig>

More information about the Snort-users mailing list