[Snort-users] false alarm with snort 2.0, why?

Holger Marzen holger at ...9053...
Tue Apr 29 00:11:13 EDT 2003


On Mon, 28 Apr 2003, Matt Kettler wrote:

> You included some details of the packet, but you skipped including any
> details of the alert.

These were the complete contents of the alert log. That's why it's so
difficult to find out why snort logs them.

> Which rule or preprocessor is generating the alert/log?

I am afraid "core" snort. The "log" rules.

> did you start snort with the -o parameter?

Snort is started with

/usr/local/bin/snort -dev -D -A full -c /etc/snort/snort.conf

snort.conf looks like ...

var WEB <ip-addr>
var IDS <ip-addr>
[...]
preprocessor http_decode: 80 8080
pass tcp $WEB any <> $DB 5000
pass tcp $IDS any <> $MAIL 1984
pass tcp any  any <> $MAIL 80
[...]
pass icmp any any <> any any
[...]
log tcp any any <> any any  (logto:"important.log";)
log udp any any <> any any  (logto:"important.log";)
log icmp any any <> any any (logto:"important.log";)

It's the file important.log that contains very few messages that usually
gets "pass"ed by a pass rule. These connections occur every 2 minutes,
but only a couple per day are logged (not all the packets!), and only
the response packets of tcp-connections from the snort machine to
another. And only if the ephemeral local port is 3306. Very strange.

-- 
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1




More information about the Snort-users mailing list