Snort mailing list archives
Re: Log questions
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 06 Aug 2001 07:39:39 -0400
Phil wrote:
Snort users, I have some questions about my logs: For starters I have a directory under /var/log/snortlogs which is my own external IP address. Everything under the directory is one of the following two: Possible RETRANSMISSION detection [**] EVASIVE RST detection [**] I also have directories for INTERNAL addresses (hom_net is set to my external address while external_net is set to everythign else). I see how this is possible since it's not my home_net, but since I NAT everything with IPFilter, this seems strange. The internal address logs are for the same two things. So my 2 question are: 1. why are there so many of those two kinds of logs. Are they false alarms? Are they bugs?
No, they are indications of crappy IP stack implementations in use. Upgrade to http://www.snort.org/files/snort-1.8.1-beta5.tar.gz and they're turned off by default.
2. why are my external address (which is HOME_NET) and even my internal NAT'd address getting in the logs.
Because a preprocessor is what's setting off the alerts, so it's outside of the normal rules-based intrusion detection engine. -Marty
Thanks, Phil __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)