[Snort-users] Newbie

Josh Berry josh.berry at ...10221...
Fri Feb 27 15:29:04 EST 2004


If you are monitoring the connection outside of the firewall you are going
to see tons of alerts coming from the internet, that does not mean that
they are false positives, they are just not being filtered by the
firewall.  You need to tune your ruleset for what is valid in your
environment and properly configure your $HOME_NET variable, setting
$EXTERNAL_NET to !$HOME_NET.

You are not doing anything wrong necessarily, you are always going to have
false positives, it is the nature of IDS.


> I have loaded Snort 2.1.0 on a Linux Fedora box, along with mysql and
> Acid.
> When I place the box on a hub with my gateway router I am flooded with
> alerts that can only be false positives.
>
> What am I doing wrong?
>
> Jim
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list