[Snort-users] Is this right one?

Peter Rodger prodger2008 at ...131...
Wed Oct 26 07:24:35 EDT 2005


Bruce,

Thank you.  If I commented #preprocessor sfportscan, 
i got no alert at all.  Is this normal?

BTW, how do I find out the dropped packets from BASE
console?  (I have a Winsnort on windows 2003, MSSQL
and BASE ocnsole)Currently, the snort box is palced
inside firewall and I span the PIX port to the snort
monitoring port. (I access it from manager interface
on another NIC of the Snort box)

Any suggestions?

Peter

-- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

> The downside is that you don't get alerts of
> possible port scans.
> Too much noise for my setup and not enough control
> over tuning the
> portscan alerts for me.
> 
> Bruce
> 
> -----Original Message-----
> From: Peter Rodger [mailto:prodger2008 at ...131...] 
> Sent: Tuesday, October 25, 2005 12:46 PM
> To: Briggs, Bruce; s
> Subject: RE: [Snort-users] Is this right one?
> 
> Bruce,
> 
> Thanks for your help as always.  Currently, I did
> the
> same thing and comment out portscan in the
> snort.conf.
> I do not know what's the downside about this?
> 
> I am getting too much inerest in snort and try to
> learn as a baby.  Please forgive my newbabie
> questions.
> 
> Thank you,
> 
> Peter
> 
> 
> 
> --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> 
> > suppress gen_id 119, sig_id 4   works for me.
> > 
> > I don't run portscan, so I've not tried suppress
> on
> > those alerts.
> > 
> > Bruce
> > 
> > 
> > -----Original Message-----
> > From: Peter Rodger [mailto:prodger2008 at ...131...] 
> > Sent: Tuesday, October 25, 2005 12:07 PM
> > To: Briggs, Bruce; Eric Maheo; s
> > Subject: RE: [Snort-users] Is this right one?
> > 
> > Hi,
> > 
> > Thanks for your help and it works (only monitoring
> > exchange servers' traffic) .
> > 
> > I still could not figure out why this one does not
> > work as posted before:
> > snort] (portscan) Open Port unclassified
> > [snort] (portscan) UDP Portsweep unclassified
> > [snort] (http_inspect) BARE BYTE UNICODE ENCODING
> > 
> > I have attempted to suppress these alerts in my
> > snort.conf file like the following:
> > suppress gen_id 122, sig_id 27
> > suppress gen_id 122, sig_id 19
> > suppress gen_id 119, sig_id 4
> > 
> > Could it be too much traffic that overkill the
> snort
> > box and can not process suppress as indicated
> > above?? 
> > Currently, the snort box is palced inside firewall
> > and
> > I span the PIX port to the snort monitoring port. 
> 
> > 
> > Please give me some suggestions and hints.  Should
> I
> > buy taps?
> > 
> > Thanks as always,
> > 
> > Peter
> > 
> > 
> > --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> > 
> > > The format should be:
> > > suppress gen_id 1, sig_id 1070
> > > 
> > > Make sure that you have an uncommented   include
> > on
> > > snort.conf  for
> > > threshold.conf.
> > > 
> > > Also you could comment out  sid_id 1070 in
> > > web-misc.rules
> > > 
> > > Many use oinkmaster to automatically update new
> > > Snort sigs and keep mods
> > > to their Snort rules.
> > > 
> > > Bruce
> > > 
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net]
> > On
> > > Behalf Of Peter
> > > Rodger
> > > Sent: Tuesday, October 25, 2005 10:35 AM
> > > To: s
> > > Subject: [Snort-users] Is this right one?
> > > 
> > > Hi all,
> > > I try to suppress this one event .  
> > > WEB-MISC WebDAV search access
> > > I added suppress sid_id 1070 in the
> > threshold.conf.
> > > Is this right?
> > > 
> > > Thanks,
> > > 
> > > Peter
> > > 
> > > 
> > > 
> > > 		
> > > __________________________________ 
> > > Yahoo! FareChase: Search multiple travel sites
> in
> > > one click.
> > > http://farechase.yahoo.com
> > > 
> > > 
> > >
> >
>
-------------------------------------------------------
> > > This SF.Net email is sponsored by the JBoss Inc.
> > > Get Certified Today * Register for a JBoss
> > Training
> > > Course
> > > Free Certification Exam for All Training
> Attendees
> > > Through End of 2005
> > > Visit
> http://www.jboss.com/services/certification
> > > for more information
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> > > unsubscribe:
> > >
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> > 
> > 
> > 
> > 	
> > 		
> > __________________________________ 
> > Yahoo! Mail - PC Magazine Editors' Choice 2005 
> > http://mail.yahoo.com
> > 
> > 
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.
> > Get Certified Today * Register for a JBoss
> Training
> > Course
> > Free Certification Exam for All Training Attendees
> > Through End of 2005
> > Visit http://www.jboss.com/services/certification
> > for more information
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> 
> 
> 		
> __________________________________ 
> Yahoo! FareChase: Search multiple travel sites in
> one click.
> http://farechase.yahoo.com
> 
=== message truncated ===



		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com




More information about the Snort-users mailing list