[Snort-users] Problems with snort

Joel Esler jesler at ...1935...
Mon Mar 26 13:27:11 EDT 2012


Also, you should use the VRT ruleset available for free from the Snort.org website and not rely on the COMMUNITY rules that are at least 4 years old and distributed with Ubuntu/Debian, etc.

J

On Mar 26, 2012, at 12:43 PM, Nick Moore wrote:

> Philip, 
> 
> Ping floods I haven't worked with as much, but port scanning will not necessarily alerts outside the portscan preprocessor, which is off by default. If you really want to test your rulebase, I would suggest downloading some interesting pcaps and testing your snort rulebase against them. You can find a bunch of them here: 
> 
> http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_files
> 
> When it comes time to tune your rulebase for your network, please consider the rules that are applicable to your environment. For example, if you have a Windows environment with client machines (e.g. most user vlans or home networks), don't turn on the Linux/Unix rules and those pertaining to services not present in your network, e.g. DNS, Web, SQL.... If you're not sure what's in your environment, run nmap against it to gather open ports and operating systems. 
> 
> Happy Snorting!
> 
> Nick
> 
> On Mon, Mar 26, 2012 at 5:24 AM, Philip Edwards <phil.e at ...15568...> wrote:
> 
> 
> >
> > Hello everybody,
> >
> > I've recently setup snort 2.9.2 on Ubuntu, and used oinkmaster to get the 2921 rules.
> > It runs fine in Daemon mode and the base interface is reporting alerts. The machine only currently has one NIC so i'm attempting to generate alerts from my laptop on the same network. I've tried ping flooding it and port scanning it but every alert is currently showing up as a "Community SIP TCP/IP message flooding directed to SIP proxy SID 100000160".
> >
> > Ive been led to believe that since i haven't tuned it yet these are false positives and will disappear when i have.
> > My question is why are portscans and ping floods showing up as the same thing and why none of the three SID's detected so far appear in the online database?
> >
> > Thanks
> >
> > Phil.
> 
> 
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
> 
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
> 
> www.sourcefire.com         www.snort.org     www.immunet.com
> 
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120326/7042f4d9/attachment.html>


More information about the Snort-users mailing list