[Snort-users] Problems with Policy-Based Rules file

Kaplan, Andrew H. AHKAPLAN at ...10063...
Wed Nov 3 11:24:13 EST 2004

Hi there --

I am running into problems with alerts despite my using and reconfiguring of the
policy-based.rules file. Here are the biggest problems:

1. Two servers with the addresses of and are sending
requests via port 1985 to the multicast address via UDP. I added 
a section to the file that calls for a pass of said traffic from both servers
via TCP and UDP. Even though I added it to the file, I am still getting 
a large amount of alerts from both machines.

2. A server with the address of is sending requests via port 631 to
the broadcast address broadcast address via UDP. The 
same procedure that was done for the servers mentioned in item 1 was also
applied here with the same adverse results still occurring. 

3. Another server with the address of has the same problems and
attempted corrections that the server in item two is having. 

The version of Snort that is being run is version 2.1.3, and the syntax used to
run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
/etc/snort/snort.conf -i eth0

The eth0 interface does not have an ip address bound to it, while a check of the
/var/log/messages file indicates that when Snort is started, the NIC does enter
mode, and subsequently leaves it when the program is stopped.

Any ideas on this would be greatly appreciated.

More information about the Snort-users mailing list