Snort mailing list archives
Problems with Policy-Based Rules file
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Wed, 3 Nov 2004 14:16:56 -0500
Hi there -- I am running into problems with alerts despite my using and reconfiguring of the policy-based.rules file. Here are the biggest problems: 1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are sending requests via port 1985 to the 226.0.0.2:1985 multicast address via UDP. I added a section to the file that calls for a pass of said traffic from both servers via TCP and UDP. Even though I added it to the file, I am still getting a large amount of alerts from both machines. 2. A server with the address of 178.134.10.5 is sending requests via port 631 to the broadcast address 178.134.10.255:631 broadcast address via UDP. The same procedure that was done for the servers mentioned in item 1 was also applied here with the same adverse results still occurring. 3. Another server with the address of 180.220.100.45 has the same problems and attempted corrections that the server in item two is having. The version of Snort that is being run is version 2.1.3, and the syntax used to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c /etc/snort/snort.conf -i eth0 The eth0 interface does not have an ip address bound to it, while a check of the /var/log/messages file indicates that when Snort is started, the NIC does enter promiscuous mode, and subsequently leaves it when the program is stopped. Any ideas on this would be greatly appreciated. ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 03)
- Re: Problems with Policy-Based Rules file Alex Butcher, ISC/ISYS (Nov 04)
- <Possible follow-ups>
- FW: Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 03)
- RE: Problems with Policy-Based Rules file Kaplan, Andrew H. (Nov 04)
- RE: Problems with Policy-Based Rules file Alex Butcher, ISC/ISYS (Nov 04)