Snort mailing list archives

Problems with Policy-Based Rules file

From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Wed, 3 Nov 2004 14:16:56 -0500

Hi there --

I am running into problems with alerts despite my using and reconfiguring of the
policy-based.rules file. Here are the biggest problems:

1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are sending
requests via port 1985 to the 226.0.0.2:1985 multicast address via UDP. I added 
a section to the file that calls for a pass of said traffic from both servers
via TCP and UDP. Even though I added it to the file, I am still getting 
a large amount of alerts from both machines.

2. A server with the address of 178.134.10.5 is sending requests via port 631 to
the broadcast address 178.134.10.255:631 broadcast address via UDP. The 
same procedure that was done for the servers mentioned in item 1 was also
applied here with the same adverse results still occurring. 

3. Another server with the address of 180.220.100.45 has the same problems and
attempted corrections that the server in item two is having. 

The version of Snort that is being run is version 2.1.3, and the syntax used to
run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
/etc/snort/snort.conf -i eth0

The eth0 interface does not have an ip address bound to it, while a check of the
/var/log/messages file indicates that when Snort is started, the NIC does enter
promiscuous
mode, and subsequently leaves it when the program is stopped.

Any ideas on this would be greatly appreciated.



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 03)
- Re: Problems with Policy-Based Rules file Alex Butcher, ISC/ISYS (Nov 04)
- <Possible follow-ups>
- FW: Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 03)
- RE: Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 04)
  - RE: Problems with Policy-Based Rules file Alex Butcher, ISC/ISYS (Nov 04)