[Snort-users] help with file bpf and ip 0.0.0.0

Al Lewis (allewi) allewi at ...589...
Wed Jan 20 13:10:57 EST 2016


It may be worthwhile to check out the section in the manual on how to define variables (HOME_NET and EXTERNAL_NET) correctly.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: hernani coelho [mailto:hernani_coelho at ...4664...]
Sent: Wednesday, January 20, 2016 12:24 PM
To: Al Lewis (allewi); snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0

how i don't know where to put to stop alerts i put every where

hernani
On 20-01-2016 17:13, Al Lewis (allewi) wrote:
Maybe I missed it but why are you using 0.0.0.0/8 in your home_net again?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: hernani coelho [mailto:hernani_coelho at ...4664...]
Sent: Wednesday, January 20, 2016 12:03 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0

now i see if i search an web page snort give me alerts like this -->

#0-(1-7731)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>

[snort<http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE REQUEST-URI DIRECTORY

2016-01-20 16:59:34

192.168.1.66<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514

95.172.94.15<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80

TCP


is safe to ignore port 80??
thanks
hernani
On 20-01-2016 16:52, hernani coelho wrote:
sorry false alert :)

alerts still there i shutdown mldonkey

alerts show protocol is ip can someone help me??

#1-(1-7660)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7660%29&sort_order=>

[snort<http://www.snort.org/search/sid/129-15>] stream5: Reset outside window

2016-01-20 16:46:57

64.4.8.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32>

0.0.0.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32>

IP


On 20-01-2016 13:58, hernani coelho wrote:
i have same progress

i think is program mldonkey for linux he have ip to 0.0.0.0, i change to 127.0.0.1 for now alerts stop
thanks

hernani


On 20-01-2016 12:29, hernani coelho wrote:

#1-(1-7332)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7332%29&sort_order=>

[snort<http://www.snort.org/search/sid/129-15>] stream5: Reset outside window

2016-01-20 12:15:53

64.4.8.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32>

0.0.0.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32>

i put filter snort.conf

ipvar HOME_NET [192.168.1.66/24,0.0.0.0/8]
ipvar EXTERNAL_NET any

i now put in  /etc/snort/threshold.conf -- src ip 0.0.0.0/8 and works but not for 64.4.8.0  for dst ip 0.0.0.0/8 don't work
thanks

hernani
On 20-01-2016 11:54, James Lay wrote:
What are the alerts (post sample), where did you put the filter at (snort.conf or command line), and what are your HOME_NET and EXTERNAL_NET set to?

James

On Wed, 2016-01-20 at 09:44 +0000, hernani coelho wrote:

nobody can help me??



On 18-01-2016 10:47, hernani coelho wrote:

> hello,

>

> i install snort and work but i receive much alerts from ip 0.0.0.0 , i

> put in file BPF this -->

>

> not ( ip host (192.168.1.66 or 0.0.0.0))

>

> for the first ip it work but for ip 0.0.0.0 no work i receive much

> alerts.

>

> what can i do to ignore alerts from ip 0.0.0.0

>

> can someone help me??

>

> thanks

>

> hernani





------------------------------------------------------------------------------

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!







------------------------------------------------------------------------------

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140





_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140





_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140





_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------

Site24x7 APM Insight: Get Deep Visibility into Application Performance

APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month

Monitor end-to-end web transactions and take corrective actions now

Troubleshoot faster and improve end-user experience. Signup Now!

http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140





_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160120/00744441/attachment.html>


More information about the Snort-users mailing list