erek at ...950...
Tue Jul 15 12:19:24 EDT 2003
On Tue, 15 Jul 2003, Helder Miguel Rodrigues wrote:
> Hello I have my workstation running snort with no probs.
> My workstation is directly connected to the internet via eth0!
> so I have in my config file:
> var HOME_NET $eth0_ADDRESS
> var EXTERNAL_NET !$HOME_NET
> But in acid it appears ATTACK RESPONSES 403 and my CHAT MSN messages,
> how can I prevent to log this things?
> I just want to log what came from the internet, not what goes to the
Well, one thing that you should always do is _look_ at the rule if it's
firing and you don't think it should.
Since you didn't give the SID's of the rules, I'll have to guess a bit.
[erek at ...6976...]/etc/snort/rules>grep -i "chat msn" *.rules
chat.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN
message"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/plain"; distance:1;
classtype:misc-activity; sid:540; rev:8;)
Now, notice that there's a bi-directional operator there? With that rule,
if Snort sees that traffic, it's going to alert. It doesn't care. And if
you recall, chat.rules isn't enabled by default.
Now, lets look at the next one.
[erek at ...6976...]/etc/snort/rules>grep -i "attack responses 403" *.rules
attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS ->
$EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden";
flow:from_server,established; content:"HTTP/1.1 403"; depth:12;
classtype:attempted-recon; sid:1201; rev:6;)
Now, that's looking at traffic with a source as HTTP_SERVERS going to a
destination of EXTERNAL_NET. Since HTTP_SERVERS is HOME_NET by default,
then it's going to alert if that traffic/pattern matches.
Snort's working just fine. It's just not working how you thought it was
Fixes? Sure. Disable the rules, write pass rules, or use a BPF filter.
See the FAQ  on 'ignoring traffic'.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users