[Snort-users] help with file bpf and ip 0.0.0.0

hernani coelho hernani_coelho at ...4664...
Sat Jan 23 12:49:19 EST 2016


i install snorby for to see alerts
and i have alerts from src 64.4.8.0 to dst 0.0.0.0
how can i stop alerts from 64.4.8.0 or to dst 0.0.0.0
i send a photo snorby

thanks

hernani
On 21-01-2016 12:11, Joel Esler (jesler) wrote:
> Port 80 is not something you want to ignore.  Considering a large 
> number of attacks take place on port 80.
>
> Sent from my iPhone
>
> On Jan 21, 2016, at 6:05 AM, hernani coelho <hernani_coelho at ...4664... 
> <mailto:hernani_coelho at ...4664...>> wrote:
>
>>
>>
>> On 20-01-2016 21:52, Joel Esler (jesler) wrote:
>>>
>>>> On Jan 20, 2016, at 1:10 PM, hernani coelho 
>>>> <hernani_coelho at ...4664...> wrote:
>>>>
>>>>
>>>>
>>>> On 20-01-2016 17:55, wkitty42 at ...14940... 
>>>> <mailto:wkitty42 at ...14940...> wrote:
>>>>> On 01/20/2016 12:03 PM, hernani coelho wrote:
>>>>>> now i see if i search an web page snort give me alerts like this -->
>>>>>>
>>>>>> #0-(1-7731)
>>>>>> <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>
>>>>>> [snort <http://www.snort.org/search/sid/119-15>] http_inspect: 
>>>>>> OVERSIZE
>>>>>> REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66
>>>>>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514
>>>>>> 95.172.94.15
>>>>>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80
>>>>>> TCP
>>>>>>
>>>>>>
>>>>>> is safe to ignore port 80??
>>>>> IMHO, absolutely not...
>>>>>
>>>>> if you are getting oversize reports like that, you can increase 
>>>>> the size of your
>>>>> oversize_dir_length setting in the http_inspect preprocessor 
>>>>> section of your
>>>>> snort.conf file... we use 750 here but you may need a larger or 
>>>>> smaller value
>>>>> depending on the traffic on your network...
>>>>>
>>>>
>>>
>> i have lots of alert from port 80, how can i stop alerts  from port 80?
>>
>>
>> 	#41-(1-30) 
>> <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%2341-%281-30%29&sort_order=time_d> 
>> 	[snort <http://www.snort.org/search/sid/129-12>] stream5: TCP Small 
>> Segment Threshold Exceeded 	2016-01-21 10:46:46 	195.23.51.104 
>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=195.23.51.104&netmask=32>:80 
>> 	192.168.1.66 
>> <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask32>:60009 
>> 	TCP
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> <mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160123/c7ae4964/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorby.png
Type: image/png
Size: 297489 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160123/c7ae4964/attachment.png>


More information about the Snort-users mailing list