Snort mailing list archives
FW: Snort 2.0 Upgrade - Sensor is very chatty
From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Wed, 23 Apr 2003 15:07:27 -0400
Never mind, my apologies to the list - should have checked theaimsgroup snort list first. Uncomment the ttcpalert line - my fault. Mike I'm not in Erek's drinking game - but I'll penalize myself tonight with at least 2 drinks (maybe more). -----Original Message----- From: Pacheco, Michael F. Sent: Wednesday, April 23, 2003 2:58 PM To: snort-users () lists sourceforge net Subject: Snort 2.0 Upgrade - Sensor is very chatty Upgraded to 2.0.0 from 1.9.1 with-mysql - everything went well, but the new install of 2.0 is alerting on T/TCP Detected (SID 56) in bucket loads now. Grep'd through the rules base for sid:56 and T/TCP and could not find anything. The snort.conf looks like this -- var HOME_NET [xx.xx.x.0/8,xx.xx.xx.0/24,xx.xx.xxx.0/24] var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] #var RULE_PATH ../rules # ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 #preprocessor bo: -nobrute preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: 63.145.4.252 #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 #preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60 preprocessor frag2 preprocessor telnet_decode preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 -- Any ideas? Thanks Mike Pacheco ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.0 Upgrade - Sensor is very chatty Brett . Gillett (Apr 23)
- <Possible follow-ups>
- Snort 2.0 Upgrade - Sensor is very chatty Pacheco, Michael F. (Apr 23)
- FW: Snort 2.0 Upgrade - Sensor is very chatty Pacheco, Michael F. (Apr 23)