[Snort-users] Re: Confused about rules and logs

Richard Bejtlich richard_bejtlich at ...131...
Mon May 10 04:12:01 EDT 2004

b311b wrote:

I'm running snort version 1.7 on a NetBSD Firewall.  


I strongly recommend you upgrade to a version of Snort
not found in the www.snort.org/dl/do_not_use/
directory.  The version you are running is vulnerable
to several exploits.

Don't feel too badly about your spp_portscan alerts. 
You can't solve the issue for the same reason we can't
-- you only have alert data on hand.  Alert data is
rarely sufficient on its own.  You need to augment
alert data from Snort with full content and/or session

For full content data, I recommend using Ethereal
(www.ethereal.com); watch for UDP traffic from  If you're on a really busy network and
want a bigger picture view, use Argus
(www.qosient.com/argus) to collect session data. 
Watch for sessions involving

Remember Snort alerts are only indicators.  They are
the start of an investigation, not the end.  It's the
same for every IDS.

If you need help deciphering what you see, post a
trace here.



Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

More information about the Snort-users mailing list