[Snort-users] Problems with snort

Nick Moore nmoore at ...1935...
Mon Mar 26 12:43:22 EDT 2012


Philip,

Ping floods I haven't worked with as much, but port scanning will not
necessarily alerts outside the portscan preprocessor, which is off by
default. If you really want to test your rulebase, I would suggest
downloading some interesting pcaps and testing your snort rulebase against
them. You can find a bunch of them here:

http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_files

When it comes time to tune your rulebase for your network, please consider
the rules that are applicable to your environment. For example, if you have
a Windows environment with client machines (e.g. most user vlans or home
networks), don't turn on the Linux/Unix rules and those pertaining to
services not present in your network, e.g. DNS, Web, SQL.... If you're not
sure what's in your environment, run nmap against it to gather open ports
and operating systems.

Happy Snorting!

Nick

On Mon, Mar 26, 2012 at 5:24 AM, Philip Edwards <phil.e at ...15568...> wrote:

>
>
> >
> > Hello everybody,
> >
> > I've recently setup snort 2.9.2 on Ubuntu, and used oinkmaster to get
> the 2921 rules.
> > It runs fine in Daemon mode and the base interface is reporting alerts.
> The machine only currently has one NIC so i'm attempting to generate alerts
> from my laptop on the same network. I've tried ping flooding it and port
> scanning it but every alert is currently showing up as a "Community SIP
> TCP/IP message flooding directed to SIP proxy SID 100000160".
> >
> > Ive been led to believe that since i haven't tuned it yet these are
> false positives and will disappear when i have.
> > My question is why are portscans and ping floods showing up as the same
> thing and why none of the three SID's detected so far appear in the online
> database?
> >
> > Thanks
> >
> > Phil.
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120326/7fd0af4c/attachment.html>


More information about the Snort-users mailing list