[Snort-users] Is this right one?

Peter Rodger prodger2008 at ...131...
Fri Oct 28 12:02:47 EDT 2005


Why I did not get any alert is because I got an error.
 If I commented out sfportscan, I got an error
"Unknown rule type: memcap" if I run from comnand
snort -c -l and I even could not start the snort
service.  After I uncomment the sfportscan, I have no
problem with -c -l and the service can be restarted.
(I followd the doc on the winsnort to install snort as
a service)

what am I missing?

Thanks,

Peter

--- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:

> You won't get any portscan alerts if you comment
> out, and thus do not
> run, sfportscan.
> You should still get http_inspect alerts if you have
> not suppressed
> them.
> 
> Bruce
> 
> -----Original Message-----
> From: Peter Rodger [mailto:prodger2008 at ...131...] 
> Sent: Wednesday, October 26, 2005 10:22 AM
> To: Briggs, Bruce; s
> Subject: RE: [Snort-users] Is this right one?
> 
> Bruce,
> 
> Thank you.  If I commented #preprocessor sfportscan,
> 
> i got no alert at all.  Is this normal?
> 
> BTW, how do I find out the dropped packets from BASE
> console?  (I have a Winsnort on windows 2003, MSSQL
> and BASE ocnsole)Currently, the snort box is palced
> inside firewall and I span the PIX port to the snort
> monitoring port. (I access it from manager interface
> on another NIC of the Snort box)
> 
> Any suggestions?
> 
> Peter
> 
> -- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> 
> > The downside is that you don't get alerts of
> > possible port scans.
> > Too much noise for my setup and not enough control
> > over tuning the
> > portscan alerts for me.
> > 
> > Bruce
> > 
> > -----Original Message-----
> > From: Peter Rodger [mailto:prodger2008 at ...131...] 
> > Sent: Tuesday, October 25, 2005 12:46 PM
> > To: Briggs, Bruce; s
> > Subject: RE: [Snort-users] Is this right one?
> > 
> > Bruce,
> > 
> > Thanks for your help as always.  Currently, I did
> > the
> > same thing and comment out portscan in the
> > snort.conf.
> > I do not know what's the downside about this?
> > 
> > I am getting too much inerest in snort and try to
> > learn as a baby.  Please forgive my newbabie
> > questions.
> > 
> > Thank you,
> > 
> > Peter
> > 
> > 
> > 
> > --- "Briggs, Bruce" <Bruce.Briggs at ...13183...> wrote:
> > 
> > > suppress gen_id 119, sig_id 4   works for me.
> > > 
> > > I don't run portscan, so I've not tried suppress
> > on
> > > those alerts.
> > > 
> > > Bruce
> > > 
> > > 
> > > -----Original Message-----
> > > From: Peter Rodger
> [mailto:prodger2008 at ...131...] 
> > > Sent: Tuesday, October 25, 2005 12:07 PM
> > > To: Briggs, Bruce; Eric Maheo; s
> > > Subject: RE: [Snort-users] Is this right one?
> > > 
> > > Hi,
> > > 
> > > Thanks for your help and it works (only
> monitoring
> > > exchange servers' traffic) .
> > > 
> > > I still could not figure out why this one does
> not
> > > work as posted before:
> > > snort] (portscan) Open Port unclassified
> > > [snort] (portscan) UDP Portsweep unclassified
> > > [snort] (http_inspect) BARE BYTE UNICODE
> ENCODING
> > > 
> > > I have attempted to suppress these alerts in my
> > > snort.conf file like the following:
> > > suppress gen_id 122, sig_id 27
> > > suppress gen_id 122, sig_id 19
> > > suppress gen_id 119, sig_id 4
> > > 
> > > Could it be too much traffic that overkill the
> > snort
> > > box and can not process suppress as indicated
> > > above?? 
> > > Currently, the snort box is palced inside
> firewall
> > > and
> > > I span the PIX port to the snort monitoring
> port. 
> > 
> > > 
> > > Please give me some suggestions and hints. 
> Should
> > I
> > > buy taps?
> > > 
> > > Thanks as always,
> > > 
> > > Peter
> > > 
> > > 
> > > --- "Briggs, Bruce" <Bruce.Briggs at ...13183...>
> wrote:
> > > 
> > > > The format should be:
> > > > suppress gen_id 1, sig_id 1070
> > > > 
> > > > Make sure that you have an uncommented  
> include
> > > on
> > > > snort.conf  for
> > > > threshold.conf.
> > > > 
> > > > Also you could comment out  sid_id 1070 in
> > > > web-misc.rules
> > > > 
> > > > Many use oinkmaster to automatically update
> new
> > > > Snort sigs and keep mods
> > > > to their Snort rules.
> > > > 
> > > > Bruce
> > > > 
> > > > -----Original Message-----
> > > > From: snort-users-admin at lists.sourceforge.net
> > > >
> [mailto:snort-users-admin at lists.sourceforge.net]
> > > On
> > > > Behalf Of Peter
> > > > Rodger
> > > > Sent: Tuesday, October 25, 2005 10:35 AM
> > > > To: s
> > > > Subject: [Snort-users] Is this right one?
> > > > 
> > > > Hi all,
> > > > I try to suppress this one event .  
> > > > WEB-MISC WebDAV search access
> > > > I added suppress sid_id 1070 in the
> > > threshold.conf.
> > > > Is this right?
> > > > 
> > > > Thanks,
> > > > 
> > > > Peter
> > > > 
> > > > 
> > > > 
> > > > 		
> > > > __________________________________ 
> > > > Yahoo! FareChase: Search multiple travel sites
> > in
> > > > one click.
> > > > http://farechase.yahoo.com
> > > > 
> > > > 
> > > >
> > >
> >
>
-------------------------------------------------------
> > > > This SF.Net email is sponsored by the JBoss
> Inc.
> > > > Get Certified Today * Register for a JBoss
> > > Training
> > > > Course
> > > > Free Certification Exam for All Training
> > Attendees
> > > > Through End of 2005
> > > > Visit
> > http://www.jboss.com/services/certification
> > > > for more information
> > > >
> _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or
> > > > unsubscribe:
> > > >
> 
=== message truncated ===



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com




More information about the Snort-users mailing list