Snort mailing list archives

Previous By Date Next
Previous By Thread Next

false positive + NAT

From: Frederic Lemoine <Frederic.Lemoine () Manpowerinc com>
Date: Mon, 17 Sep 2001 15:09:16 +0200
Hello,

We do network address translation (hide mode) on the firewall.

I have a lot of alerts like 

WEB-MISC http directory traversal
WEB-MISC ultraboard access
WEB-MISC whisker head

source IP               : our firewall, high ports
destination IP  : web sites, port 80

This is obviously the traffic back to the web servers, firstly originated by
our users from the Internal LAN.

I am wondering how not to log this kind of traffic, and why does snort
identify this as an attempt.

F.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: