[Snort-users] Re: Confused about rules and logs

Richard Bejtlich richard_bejtlich at ...131...
Mon May 10 04:12:01 EDT 2004


b311b wrote:

I'm running snort version 1.7 on a NetBSD Firewall.  

--

I strongly recommend you upgrade to a version of Snort
not found in the www.snort.org/dl/do_not_use/
directory.  The version you are running is vulnerable
to several exploits.
(www.cert.org/advisories/CA-2003-13.html)

Don't feel too badly about your spp_portscan alerts. 
You can't solve the issue for the same reason we can't
-- you only have alert data on hand.  Alert data is
rarely sufficient on its own.  You need to augment
alert data from Snort with full content and/or session
data.  

For full content data, I recommend using Ethereal
(www.ethereal.com); watch for UDP traffic from
192.168.2.252.  If you're on a really busy network and
want a bigger picture view, use Argus
(www.qosient.com/argus) to collect session data. 
Watch for sessions involving 192.168.2.252.

Remember Snort alerts are only indicators.  They are
the start of an investigation, not the end.  It's the
same for every IDS.

If you need help deciphering what you see, post a
trace here.

Sincerely,

Richard
http://www.taosecurity.com


	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 




More information about the Snort-users mailing list