Snort mailing list archives
Re: HELP!
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 9 Nov 2001 11:52:25 -0800 (PST)
On Fri, 9 Nov 2001, Noah Silverman wrote:
I tried this, It DOES stop the portscan report, BUT I still get logging from my DNS IP and entries in the alert log file. I am also getting entries from the IP of my machine. I DO have my home IP set correctly.
Noah, IMHO, if you are getting alerts that you think you shouldn't, the very first thing to do is to find out 'Why?'. Forget about disabling anything and concentrate on the traffic that is being alerted on. IOW, check out the packet dumps. See if it _is_ legitimate traffic. It may not be! Don't just assume your HOME_NET is a perfectly secured place! :) You may want to use a pass rule to allow traffic that is valid to be passed with no alert. If you do this, be very, very careful. One badly written pass rule can mess up your whole day! You'll want to use the '-o' option for that.... Be warned that since snort does the 'match, then exit' if the pass rule matches, it will quit checking for alerts. That can be bad if you have a pass rule that allows anything to come in! What types of alerts are being logged into the alert file from your other boxes? ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users