Re: Address on my network generating many alerts

[Nigel Houghton <nigel () sourcefire com>]

On  0, Arthur DiSegna <adisegna () authentium com> wrote:
>  
> Hello,
>
> I just installed SNORT for the first time and have noticed one of my
> servers generating a lot of traffic. Most of it is legitimate web
> traffic. How can I exclude the normal traffic while maintaining
> intrusion checks...

Start by tuning your setup, set your HOME_NET and EXTERNAL_NET variables
in your snort.conf and start from there. The HOME_NET is normally your
internal address space and the EXTERNAL_NET could be !$HOME_NET. The
default snort.conf is generously commented.

Then start looking at other variables in there and the preprocessor
options for tuning. You might also want to look at which rule groups are
enabled and disabled too.

The manual[0] is online and there are many documents in the doc directory
of the source tarball.

[0] http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users