[Snort-users] PLEASE CC ME

Erek Adams erek at ...950...
Sat Nov 8 17:39:21 EST 2003


On Sat, 8 Nov 2003, Sean Lazar wrote:

> What port does your proxy run on? Is it 8080?
>
> The rule is:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\)
> attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;)
> http://www.snort.org/snort-db/sid.html?sid=620
>
> This rule, if I am reading it right, will trigger on any connection to 8080
> in your home net. This one gets alot of false positives probably because
> 8080 is a popular port.
>
> Nothing to worry about, just turn off the rule.

Nope...  Leave the rule on.

Just change EXTERNAL_NET from "any" to !$HOME_NET.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list