[Snort-users] How to proceed

Ralf Spenneberg lists at ...9778...
Thu Nov 10 08:30:12 EST 2005


Hi,

you configured everything correctly. This is a shortcoming in Base. 

The alert was generated by a preprocessor and not a signature. Base
cannot yet distinguish between these alerts and always tries to lookup a
signature at the snort homepage. All sids below 100 definitely are
preprocessor alerts and are not accessable through the snort homepage.

Ralf

Am Donnerstag, den 10.11.2005, 11:00 -0500 schrieb Timothy A. Holmes:
> Hi folks:
> 
>  
> 
> I am VERY new to using snort, I have it set up and sniffing between
> our cable modem and the firewall, and it appears to be running well.
> 
>  
> 
> I am seeing alerts show up in BASE.  
> 
>  
> 
> So I look at a particular alert, and find the following
> 
>  
> 
>  
> 
> [snort] (portscan) TCP Portsweep unclassified 15(0%) 1 1 7 2005-11-09
> 10:13:55 2005-11-10 10:38:46
> 
>  
> 
> I click on the snort link which, if I understand correctly should take
> to a page which will tell me what the alert means and what I should do
> about it (if anything)
> 
>  
> 
> And I get the following (this is the link to the page)
> 
>  
> 
> http://www.snort.org/pub-bin/sigs.cgi?sid=27
> 
>  
> 
>  
> 
> Which basically tells me that the snort database has never heard of
> this before
> 
>  
> 
> What do I do now???
> 
>  
> 
> Did I configure base incorrectly or what?
> 
> I must confess to being kinda lost
> 
>  
> 
> TIM
> 
>  
> 
> Timothy A. Holmes
> 
> IT Manager / Network Admin / Web Master / Computer Teacher
> 
>  
> 
> Medina Christian Academy
> 
> A Higher Standard...
> 
>  
> 
> Jeremiah 33:3
> 
> Jeremiah 29:11
> 
> Esther 4:14
> 
> 
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany






More information about the Snort-users mailing list