Snort mailing list archives
Re: help with file bpf and ip 0.0.0.0
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 20 Jan 2016 17:13:10 +0000
Maybe I missed it but why are you using 0.0.0.0/8 in your home_net again? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: hernani coelho [mailto:hernani_coelho () msn com] Sent: Wednesday, January 20, 2016 12:03 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0 now i see if i search an web page snort give me alerts like this --> #0-(1-7731)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=> [snort<http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514 95.172.94.15<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80 TCP is safe to ignore port 80?? thanks hernani On 20-01-2016 16:52, hernani coelho wrote: sorry false alert :) alerts still there i shutdown mldonkey alerts show protocol is ip can someone help me?? #1-(1-7660)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7660%29&sort_order=> [snort<http://www.snort.org/search/sid/129-15>] stream5: Reset outside window 2016-01-20 16:46:57 64.4.8.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32> 0.0.0.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32> IP On 20-01-2016 13:58, hernani coelho wrote: i have same progress i think is program mldonkey for linux he have ip to 0.0.0.0, i change to 127.0.0.1 for now alerts stop thanks hernani On 20-01-2016 12:29, hernani coelho wrote: #1-(1-7332)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7332%29&sort_order=> [snort<http://www.snort.org/search/sid/129-15>] stream5: Reset outside window 2016-01-20 12:15:53 64.4.8.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32> 0.0.0.0<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32> i put filter snort.conf ipvar HOME_NET [192.168.1.66/24,0.0.0.0/8] ipvar EXTERNAL_NET any i now put in /etc/snort/threshold.conf -- src ip 0.0.0.0/8 and works but not for 64.4.8.0 for dst ip 0.0.0.0/8 don't work thanks hernani On 20-01-2016 11:54, James Lay wrote: What are the alerts (post sample), where did you put the filter at (snort.conf or command line), and what are your HOME_NET and EXTERNAL_NET set to? James On Wed, 2016-01-20 at 09:44 +0000, hernani coelho wrote: nobody can help me?? On 18-01-2016 10:47, hernani coelho wrote:
hello,
i install snort and work but i receive much alerts from ip 0.0.0.0 , i
put in file BPF this -->
not ( ip host (192.168.1.66 or 0.0.0.0))
for the first ip it work but for ip 0.0.0.0 no work i receive much
alerts.
what can i do to ignore alerts from ip 0.0.0.0
can someone help me??
thanks
hernani
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help with file bpf and ip 0.0.0.0 hernani coelho (Jan 18)
- <Possible follow-ups>
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 James Lay (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 James Lay (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Feb 12)