[Snort-users] Problems with Policy-Based Rules file
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Wed Nov 3 11:24:13 EST 2004
Hi there --
I am running into problems with alerts despite my using and reconfiguring of the
policy-based.rules file. Here are the biggest problems:
1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are sending
requests via port 1985 to the 18.104.22.168:1985 multicast address via UDP. I added
a section to the file that calls for a pass of said traffic from both servers
via TCP and UDP. Even though I added it to the file, I am still getting
a large amount of alerts from both machines.
2. A server with the address of 22.214.171.124 is sending requests via port 631 to
the broadcast address 126.96.36.199:631 broadcast address via UDP. The
same procedure that was done for the servers mentioned in item 1 was also
applied here with the same adverse results still occurring.
3. Another server with the address of 188.8.131.52 has the same problems and
attempted corrections that the server in item two is having.
The version of Snort that is being run is version 2.1.3, and the syntax used to
run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
/etc/snort/snort.conf -i eth0
The eth0 interface does not have an ip address bound to it, while a check of the
/var/log/messages file indicates that when Snort is started, the NIC does enter
mode, and subsequently leaves it when the program is stopped.
Any ideas on this would be greatly appreciated.
More information about the Snort-users