Snort mailing list archives
Re: My Webservers Are Showing Up In My Alerts
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Thu, 13 Jun 2002 21:47:36 -0700 (PDT)
It's probably because your snort is listening on a non filtered/firewalled interface. The attempts are real, but it's not necessary that they were all successful. If you know for sure that your webservers are apache and can noway contain cmd.exe ( and even if they do, its useless on a linux box ) ;) , then you can very well comment out the cmd rules. You cannot call them false positives. I mean ppl are probing you to intrude in your network and you should be aware of it. That's why you're using snort right? So It's happening, you're knowing who'se trying to intrude you. =) Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- "Vadim Pushkin" <wiskbroom () hotmail com> wrote:
Greetings Fellowes; My snort.conf has the following entries: var HTTP_SERVERS [192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32] # Above is all on one line var HTTP_SERVERS_PORT 8080 Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT. I am getting ALOT of alerts for these as either source or dest. How can I prevent this? Thank you kindly, -vadim Vadim (Ukranian Stallion) Pushkin
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net http://www.everyone.net/?btn=tag _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Matt Kettler (Jun 13)
- <Possible follow-ups>
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Muhammad Faisal Rauf Danka (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)