[Snort-users] PIM - Multicasts

Eric Maheo eric.maheo at ...8860...
Tue Aug 23 10:47:02 EDT 2005


Well you have several options:

-disable the rule 2189 for your snort listening the internal network
-set a suppress for this sig and a particular ip source or destination
-set a threshold
-set the correct variables for this rule 2189

Thanks,
Eric 


On Tue, 2005-08-23 at 12:07 -0500, Walt Rich wrote:
> I've been fairly successful in tuning snort in our environment, and
> have reduced the number of false positives dramatically.   I have a
> question though: How do I disable the PIM alerts generated by Snort
> for our internal network?  I constantly receive 
>  
> BAD_TRAFFIC IP Proto 103 PIM alerts.  We run multicasting on our
> internal network because we use Norton Ghost to setup workstations.
> The Ghostcasting feature requires the enabling of multicasting, and we
> don't need to see these alerts.
>  
> Thanks!
>  
>                         Parago Logo
> 
> ___________________________________
> | Walt Rich | Sr. Network
> Engineer | Parago, Inc. |
> 972.538.7253 | walt.rich at ...12648...
> |
>  
-- 

Eric Maheo
Vice President of Engineering,

Applied Watch Technologies, LLC
1095 Pingree Rd.
Suite 212
Crystal Lake, IL 60014

Tel: (877) 262-7593 x324
Fax: (877) 262-7593

Email: eric.maheo at ...8860...
Web: http://www.appliedwatch.com





More information about the Snort-users mailing list