[Snort-users] Snort 2.0 Upgrade - Sensor is very chatty

Brett.Gillett at ...8974... Brett.Gillett at ...8974...
Wed Apr 23 12:07:18 EDT 2003


Mike,

You need to upgrade your snort.conf file to the newest version, then look 
for the following line and uncomment it.

#config disable_ttcp_alerts

then restart Snort.

Hope that helps

Brett





"Pacheco, Michael F." <MPacheco at ...6219...>
Sent by: snort-users-admin at lists.sourceforge.net
23/04/2003 02:58 PM

 
        To:     snort-users at lists.sourceforge.net
        cc: 
        Subject:        [Snort-users] Snort 2.0 Upgrade - Sensor is very chatty


Upgraded to 2.0.0 from 1.9.1 with-mysql - everything went well, but the 
new
install of 2.0 is alerting on T/TCP Detected (SID 56) in bucket loads now.
Grep'd through the rules base for sid:56 and T/TCP and could not find
anything.  The snort.conf looks like this

--

var HOME_NET [xx.xx.x.0/8,xx.xx.xx.0/24,xx.xx.xxx.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
#var RULE_PATH ../rules
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
#preprocessor bo: -nobrute
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: 63.145.4.252
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
#preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

--

Any ideas?

Thanks  Mike Pacheco


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030423/1b682489/attachment.html>


More information about the Snort-users mailing list