[Snort-users] Snort 2.0 Upgrade - Sensor is very chatty

Pacheco, Michael F. MPacheco at ...6219...
Wed Apr 23 11:59:02 EDT 2003


Upgraded to 2.0.0 from 1.9.1 with-mysql - everything went well, but the new
install of 2.0 is alerting on T/TCP Detected (SID 56) in bucket loads now.
Grep'd through the rules base for sid:56 and T/TCP and could not find
anything.  The snort.conf looks like this

--

var HOME_NET [xx.xx.x.0/8,xx.xx.xx.0/24,xx.xx.xxx.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
#var RULE_PATH ../rules
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
#preprocessor bo: -nobrute
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: 63.145.4.252
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
#preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

--

Any ideas?

Thanks  Mike Pacheco




More information about the Snort-users mailing list