Snort mailing list archives
RE: Is this right one?
From: Peter Rodger <prodger2008 () yahoo com>
Date: Wed, 26 Oct 2005 07:21:34 -0700 (PDT)
Bruce, Thank you. If I commented #preprocessor sfportscan, i got no alert at all. Is this normal? BTW, how do I find out the dropped packets from BASE console? (I have a Winsnort on windows 2003, MSSQL and BASE ocnsole)Currently, the snort box is palced inside firewall and I span the PIX port to the snort monitoring port. (I access it from manager interface on another NIC of the Snort box) Any suggestions? Peter -- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:
The downside is that you don't get alerts of possible port scans. Too much noise for my setup and not enough control over tuning the portscan alerts for me. Bruce -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: Tuesday, October 25, 2005 12:46 PM To: Briggs, Bruce; s Subject: RE: [Snort-users] Is this right one? Bruce, Thanks for your help as always. Currently, I did the same thing and comment out portscan in the snort.conf. I do not know what's the downside about this? I am getting too much inerest in snort and try to learn as a baby. Please forgive my newbabie questions. Thank you, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:suppress gen_id 119, sig_id 4 works for me. I don't run portscan, so I've not tried suppressonthose alerts. Bruce -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: Tuesday, October 25, 2005 12:07 PM To: Briggs, Bruce; Eric Maheo; s Subject: RE: [Snort-users] Is this right one? Hi, Thanks for your help and it works (only monitoring exchange servers' traffic) . I still could not figure out why this one does not work as posted before: snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassified [snort] (http_inspect) BARE BYTE UNICODE ENCODING I have attempted to suppress these alerts in my snort.conf file like the following: suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 19 suppress gen_id 119, sig_id 4 Could it be too much traffic that overkill thesnortbox and can not process suppress as indicated above?? Currently, the snort box is palced inside firewall and I span the PIX port to the snort monitoring port.Please give me some suggestions and hints. ShouldIbuy taps? Thanks as always, Peter --- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:The format should be: suppress gen_id 1, sig_id 1070 Make sure that you have an uncommented includeonsnort.conf for threshold.conf. Also you could comment out sid_id 1070 in web-misc.rules Many use oinkmaster to automatically update new Snort sigs and keep mods to their Snort rules. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]OnBehalf Of Peter Rodger Sent: Tuesday, October 25, 2005 10:35 AM To: s Subject: [Snort-users] Is this right one? Hi all, I try to suppress this one event . WEB-MISC WebDAV search access I added suppress sid_id 1070 in thethreshold.conf.Is this right? Thanks, Peter __________________________________ Yahoo! FareChase: Search multiple travel sitesinone click. http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBossTrainingCourse Free Certification Exam for All TrainingAttendeesThrough End of 2005 Visithttp://www.jboss.com/services/certificationfor more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBossTrainingCourse Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
=== message truncated === __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this right one? Peter Rodger (Oct 25)
- <Possible follow-ups>
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? (one correction) Peter Rodger (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 25)
- RE: Is this right one? Briggs, Bruce (Oct 25)
- RE: Is this right one? Peter Rodger (Oct 26)
- RE: Is this right one? Peter Rodger (Oct 28)