Re: snort filter

[Erek Adams <erek () theadamsfamily net>]

On Wed, 26 Sep 2001, Eduard Meiler wrote:

> after installing snort I get a lot of these messages about the traffic: Make
> it sense to disable this function, or is there a way to filter the
> unnecessary information ??

It depends.

> Sep 26 21:00:00 wall snort: [1:515:2] MISC source port 53 to <1024
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 193.141.40.1:53 -> 192.168.7.200:53

Consider the source and destination.  Source was from xlink1.xlink.net which
is a DNS server.  Desitnation was a private net.  Now if that internal machine
made a DNS query then this might be normal, seeing as you can specify the port
to connect back on in the BIND configs.

Is that one of the DNS servers you use?  If not, then something might be up.
If so, build a pass rule for it if needed, the use the -o switch to swap the
order of the rules.

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users