Snort mailing list archives

How do I filter either Kiwi Syslog or Snort to stop this recurring Auth_Alert?

From: Matt Lenco <mattlenco () yahoo com>
Date: Fri, 10 Dec 2010 09:02:42 -0800 (PST)
I'm sitting at the dealer waiting for my car, playing with Snort and Kiwi starts 

logging this.....the local segment is 10.25.35.0.24. This is filling up my log. 
How do I filter this?

12-10-2010    08:26:38    Auth.Alert    127.0.0.1    Dec 10 08:26:38 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:34    Auth.Alert    127.0.0.1    Dec 10 08:26:34 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:29    Auth.Alert    127.0.0.1    Dec 10 08:26:29 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:24    Auth.Alert    127.0.0.1    Dec 10 08:26:24 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:20    Auth.Alert    127.0.0.1    Dec 10 08:26:20 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:16    Auth.Alert    127.0.0.1    Dec 10 08:26:16 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:11    Auth.Alert    127.0.0.1    Dec 10 08:26:11 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:06    Auth.Alert    127.0.0.1    Dec 10 08:26:06 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:26:02    Auth.Alert    127.0.0.1    Dec 10 08:26:02 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:57    Auth.Alert    127.0.0.1    Dec 10 08:25:57 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:53    Auth.Alert    127.0.0.1    Dec 10 08:25:53 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:48    Auth.Alert    127.0.0.1    Dec 10 08:25:48 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:44    Auth.Alert    127.0.0.1    Dec 10 08:25:44 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:39    Auth.Alert    127.0.0.1    Dec 10 08:25:39 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:34    Auth.Alert    127.0.0.1    Dec 10 08:25:34 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:30    Auth.Alert    127.0.0.1    Dec 10 08:25:30 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:26    Auth.Alert    127.0.0.1    Dec 10 08:25:26 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:21    Auth.Alert    127.0.0.1    Dec 10 08:25:21 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251
12-10-2010    08:25:17    Auth.Alert    127.0.0.1    Dec 10 08:25:17 
Me-PC snort: [1:404:7] ICMP Destination Unreachable Protocol Unreachable 
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.25.35.251



      

------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

How do I filter either Kiwi Syslog or Snort to stop this recurring Auth_Alert? Matt Lenco (Dec 10)
- Re: How do I filter either Kiwi Syslog or Snort to stop this recurring Auth_Alert? Joel Esler (Dec 10)
  - Re: How do I filter either Kiwi Syslog or Snort to stop this recurring Auth_Alert? Lay, James (Dec 10)