Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Snort rules setup.

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: Snort rules setup.
Date: Mon, 5 Dec 2005 07:48:55 -0500 
 


-----Original Message-----
From: phunked up! [mailto:phunkodelic@gmail.com] 
Sent: Wednesday, November 30, 2005 2:14 PM
To: focus-ids@securityfocus.com
Subject: Snort rules setup.

I am trying to get rid of the errors of: "(portscan) Open 
Port" in my Snort logs.  They are filling it up quite fast.  
I have put a line in the threshold.conf file and enabled that 
file in the snort.conf file but that has done nothing so far.

Setup is Centos/MySQL/Snort/BASE.  Any advice would be much 
appreciated.

Thanks!



Instead of using threshold.conf I used some suppress commands in
snort.conf. I don't remember which gen_id and sig_id portscan/open port
is but I added these 4 lines in my snort.conf to shut it and
http_inspect up in regards to certain events:

suppress gen_id 122, sig_id 27:
suppress gen_id 122, sig_id 19:
suppress gen_id 119, sig_id 4:
suppress gen_id 119, sig_id 15:

I'm sure some googling will shed light on the combination you may need,
although I remember it taking me forever to figure out what to do.

Derick Anderson

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  on TASL correlation rules, Anton Chuvakin
Next by Date:  Re: IM & P2P packets, Eric Grejda
Previous by Thread:  Re: Snort rules setup., Joel Esler
Next by Thread:  ANN: Free endpoint security software released (Core FORCE 070.105), Core FORCE team
Indexes:  [Date] [Thread] [Top] [All Lists]