Snort mailing list archives

FW: Snort 2.0 Upgrade - Sensor is very chatty

From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Wed, 23 Apr 2003 15:07:27 -0400

Never mind, my apologies to the list - should have checked theaimsgroup
snort list first.  Uncomment the ttcpalert line - my fault.

Mike

I'm not in Erek's drinking game - but I'll penalize myself tonight with at
least 2 drinks (maybe more).


-----Original Message-----
From: Pacheco, Michael F. 
Sent: Wednesday, April 23, 2003 2:58 PM
To: snort-users () lists sourceforge net
Subject: Snort 2.0 Upgrade - Sensor is very chatty

Upgraded to 2.0.0 from 1.9.1 with-mysql - everything went well, but the new
install of 2.0 is alerting on T/TCP Detected (SID 56) in bucket loads now.
Grep'd through the rules base for sid:56 and T/TCP and could not find
anything.  The snort.conf looks like this

--

var HOME_NET [xx.xx.x.0/8,xx.xx.xx.0/24,xx.xx.xxx.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
#var RULE_PATH ../rules
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
#preprocessor bo: -nobrute
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: 63.145.4.252
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
#preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

--

Any ideas?

Thanks  Mike Pacheco


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort 2.0 Upgrade - Sensor is very chatty Brett . Gillett (Apr 23)
- <Possible follow-ups>
- Snort 2.0 Upgrade - Sensor is very chatty Pacheco, Michael F. (Apr 23)
- FW: Snort 2.0 Upgrade - Sensor is very chatty Pacheco, Michael F. (Apr 23)