[Snort-users] Problems with Policy-Based Rules file

Kaplan, Andrew H. AHKAPLAN at ...10063...
Wed Nov 3 11:24:13 EST 2004


Hi there --

I am running into problems with alerts despite my using and reconfiguring of the
policy-based.rules file. Here are the biggest problems:

1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are sending
requests via port 1985 to the 226.0.0.2:1985 multicast address via UDP. I added 
a section to the file that calls for a pass of said traffic from both servers
via TCP and UDP. Even though I added it to the file, I am still getting 
a large amount of alerts from both machines.

2. A server with the address of 178.134.10.5 is sending requests via port 631 to
the broadcast address 178.134.10.255:631 broadcast address via UDP. The 
same procedure that was done for the servers mentioned in item 1 was also
applied here with the same adverse results still occurring. 

3. Another server with the address of 180.220.100.45 has the same problems and
attempted corrections that the server in item two is having. 

The version of Snort that is being run is version 2.1.3, and the syntax used to
run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
/etc/snort/snort.conf -i eth0

The eth0 interface does not have an ip address bound to it, while a check of the
/var/log/messages file indicates that when Snort is started, the NIC does enter
promiscuous
mode, and subsequently leaves it when the program is stopped.

Any ideas on this would be greatly appreciated.





More information about the Snort-users mailing list