[Snort-users] Re: Confused about rules and logs
richard_bejtlich at ...131...
Mon May 10 04:12:01 EDT 2004
I'm running snort version 1.7 on a NetBSD Firewall.
I strongly recommend you upgrade to a version of Snort
not found in the www.snort.org/dl/do_not_use/
directory. The version you are running is vulnerable
to several exploits.
Don't feel too badly about your spp_portscan alerts.
You can't solve the issue for the same reason we can't
-- you only have alert data on hand. Alert data is
rarely sufficient on its own. You need to augment
alert data from Snort with full content and/or session
For full content data, I recommend using Ethereal
(www.ethereal.com); watch for UDP traffic from
192.168.2.252. If you're on a really busy network and
want a bigger picture view, use Argus
(www.qosient.com/argus) to collect session data.
Watch for sessions involving 192.168.2.252.
Remember Snort alerts are only indicators. They are
the start of an investigation, not the end. It's the
same for every IDS.
If you need help deciphering what you see, post a
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
More information about the Snort-users