[Snort-users] false alarm with snort 2.0, why?
holger at ...9053...
Tue Apr 29 00:11:13 EDT 2003
On Mon, 28 Apr 2003, Matt Kettler wrote:
> You included some details of the packet, but you skipped including any
> details of the alert.
These were the complete contents of the alert log. That's why it's so
difficult to find out why snort logs them.
> Which rule or preprocessor is generating the alert/log?
I am afraid "core" snort. The "log" rules.
> did you start snort with the -o parameter?
Snort is started with
/usr/local/bin/snort -dev -D -A full -c /etc/snort/snort.conf
snort.conf looks like ...
var WEB <ip-addr>
var IDS <ip-addr>
preprocessor http_decode: 80 8080
pass tcp $WEB any <> $DB 5000
pass tcp $IDS any <> $MAIL 1984
pass tcp any any <> $MAIL 80
pass icmp any any <> any any
log tcp any any <> any any (logto:"important.log";)
log udp any any <> any any (logto:"important.log";)
log icmp any any <> any any (logto:"important.log";)
It's the file important.log that contains very few messages that usually
gets "pass"ed by a pass rule. These connections occur every 2 minutes,
but only a couple per day are logged (not all the packets!), and only
the response packets of tcp-connections from the snort machine to
another. And only if the ephemeral local port is 3306. Very strange.
More information about the Snort-users