Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Is this right one?

From: Peter Rodger <prodger2008 () yahoo com>
Date: Wed, 26 Oct 2005 07:21:34 -0700 (PDT)
Bruce,

Thank you.  If I commented #preprocessor sfportscan, 
i got no alert at all.  Is this normal?

BTW, how do I find out the dropped packets from BASE
console?  (I have a Winsnort on windows 2003, MSSQL
and BASE ocnsole)Currently, the snort box is palced
inside firewall and I span the PIX port to the snort
monitoring port. (I access it from manager interface
on another NIC of the Snort box)

Any suggestions?

Peter

-- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:


The downside is that you don't get alerts of
possible port scans.
Too much noise for my setup and not enough control
over tuning the
portscan alerts for me.

Bruce

-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com] 
Sent: Tuesday, October 25, 2005 12:46 PM
To: Briggs, Bruce; s
Subject: RE: [Snort-users] Is this right one?

Bruce,

Thanks for your help as always.  Currently, I did
the
same thing and comment out portscan in the
snort.conf.
I do not know what's the downside about this?

I am getting too much inerest in snort and try to
learn as a baby.  Please forgive my newbabie
questions.

Thank you,

Peter



--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:


suppress gen_id 119, sig_id 4   works for me.

I don't run portscan, so I've not tried suppress

on

those alerts.

Bruce


-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com] 
Sent: Tuesday, October 25, 2005 12:07 PM
To: Briggs, Bruce; Eric Maheo; s
Subject: RE: [Snort-users] Is this right one?

Hi,

Thanks for your help and it works (only monitoring
exchange servers' traffic) .

I still could not figure out why this one does not
work as posted before:
snort] (portscan) Open Port unclassified
[snort] (portscan) UDP Portsweep unclassified
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

I have attempted to suppress these alerts in my
snort.conf file like the following:
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

Could it be too much traffic that overkill the

snort

box and can not process suppress as indicated
above?? 
Currently, the snort box is palced inside firewall
and
I span the PIX port to the snort monitoring port. 




Please give me some suggestions and hints.  Should

I

buy taps?

Thanks as always,

Peter


--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:


The format should be:
suppress gen_id 1, sig_id 1070

Make sure that you have an uncommented   include

on

snort.conf  for
threshold.conf.

Also you could comment out  sid_id 1070 in
web-misc.rules

Many use oinkmaster to automatically update new
Snort sigs and keep mods
to their Snort rules.

Bruce

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]

On

Behalf Of Peter
Rodger
Sent: Tuesday, October 25, 2005 10:35 AM
To: s
Subject: [Snort-users] Is this right one?

Hi all,
I try to suppress this one event .  
WEB-MISC WebDAV search access
I added suppress sid_id 1070 in the

threshold.conf.

Is this right?

Thanks,

Peter



          
__________________________________ 
Yahoo! FareChase: Search multiple travel sites

in

one click.
http://farechase.yahoo.com








-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss

Training

Course
Free Certification Exam for All Training

Attendees

Through End of 2005
Visit

http://www.jboss.com/services/certification

for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:






https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:






http://www.geocrawler.com/redir-sf.php3?list=snort-users







    
            
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com






-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss

Training

Course
Free Certification Exam for All Training Attendees
Through End of 2005
Visit http://www.jboss.com/services/certification
for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:




https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users







              
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in
one click.
http://farechase.yahoo.com


=== message truncated ===



                
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: