[Snort-users] FW: Problems with Policy-Based Rules file

Kaplan, Andrew H. AHKAPLAN at ...10063...
Wed Nov 3 13:42:34 EST 2004

>  -----Original Message-----
> From: 	Kaplan, Andrew H.  
> Sent:	Wednesday, November 03, 2004 2:17 PM
> To:	Snort User Group (E-mail)
> Subject:	Problems with Policy-Based Rules file
> Hi there --
> I am running into problems with alerts despite my using and reconfiguring of
> the policy-based.rules file. Here are the biggest problems:
> 1. Two servers with the addresses of and are sending
> requests via port 1985 to the multicast address via UDP. I
> added 
> a section to the file that calls for a pass of said traffic from both servers
> via TCP and UDP. Even though I added it to the file, I am still getting 
> a large amount of alerts from both machines.
> 2. A server with the address of is sending requests via port 631
> to the broadcast address broadcast address via UDP. The 
> same procedure that was done for the servers mentioned in item 1 was also
> applied here with the same adverse results still occurring. 
> 3. Another server with the address of has the same problems and
> attempted corrections that the server in item two is having. 
> The version of Snort that is being run is version 2.1.3, and the syntax used
> to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
> /etc/snort/snort.conf -i eth0
> The eth0 interface does not have an ip address bound to it, while a check of
> the /var/log/messages file indicates that when Snort is started, the NIC does
> enter promiscuous
> mode, and subsequently leaves it when the program is stopped.
> Any ideas on this would be greatly appreciated.

More information about the Snort-users mailing list