[Snort-users] FW: Snort 2.0 Upgrade - Sensor is very chatty

Pacheco, Michael F. MPacheco at ...6219...
Wed Apr 23 12:08:18 EDT 2003


Never mind, my apologies to the list - should have checked theaimsgroup
snort list first.  Uncomment the ttcpalert line - my fault.

Mike

I'm not in Erek's drinking game - but I'll penalize myself tonight with at
least 2 drinks (maybe more).


-----Original Message-----
From: Pacheco, Michael F. 
Sent: Wednesday, April 23, 2003 2:58 PM
To: snort-users at lists.sourceforge.net
Subject: Snort 2.0 Upgrade - Sensor is very chatty

Upgraded to 2.0.0 from 1.9.1 with-mysql - everything went well, but the new
install of 2.0 is alerting on T/TCP Detected (SID 56) in bucket loads now.
Grep'd through the rules base for sid:56 and T/TCP and could not find
anything.  The snort.conf looks like this

--

var HOME_NET [xx.xx.x.0/8,xx.xx.xx.0/24,xx.xx.xxx.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
#var RULE_PATH ../rules
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
#preprocessor bo: -nobrute
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: 63.145.4.252
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
#preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

--

Any ideas?

Thanks  Mike Pacheco




More information about the Snort-users mailing list