[Snort-users] FW: Problems with Policy-Based Rules file
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Wed Nov 3 13:42:34 EST 2004
> -----Original Message-----
> From: Kaplan, Andrew H.
> Sent: Wednesday, November 03, 2004 2:17 PM
> To: Snort User Group (E-mail)
> Subject: Problems with Policy-Based Rules file
> Hi there --
> I am running into problems with alerts despite my using and reconfiguring of
> the policy-based.rules file. Here are the biggest problems:
> 1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are sending
> requests via port 1985 to the 188.8.131.52:1985 multicast address via UDP. I
> a section to the file that calls for a pass of said traffic from both servers
> via TCP and UDP. Even though I added it to the file, I am still getting
> a large amount of alerts from both machines.
> 2. A server with the address of 184.108.40.206 is sending requests via port 631
> to the broadcast address 220.127.116.11:631 broadcast address via UDP. The
> same procedure that was done for the servers mentioned in item 1 was also
> applied here with the same adverse results still occurring.
> 3. Another server with the address of 18.104.22.168 has the same problems and
> attempted corrections that the server in item two is having.
> The version of Snort that is being run is version 2.1.3, and the syntax used
> to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
> /etc/snort/snort.conf -i eth0
> The eth0 interface does not have an ip address bound to it, while a check of
> the /var/log/messages file indicates that when Snort is started, the NIC does
> enter promiscuous
> mode, and subsequently leaves it when the program is stopped.
> Any ideas on this would be greatly appreciated.
More information about the Snort-users