On 14/12/2007, Jonathan Askew JBASKEW <JBASKEW@uncg.edu> wrote:
I am new to IDS and have just set up snort on a ubuntu host. It has worked
well except for the fact that I am getting some false positivies from local
traffic on the network. I have been trying to find the solution on snort's
forums but the site seems to be going up and down randomly. I want to set a
rule in order to suppress/ignore local network traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have not been
able to do so successfully. Can someone be so kind as to post their
threshold.conf file or guide me through the process?
Hi there,
I haven't tried the threshold stuff myself - but can you post your
threshold.conf ? The doco suggests something like this:
suppress gen_id 1, sig_id 1852, track by_dst, ip 192.168.1.0/24
for each sid (1852 in this case) you want to suppress. I would track
by destination, because often the alerts indicating outgoing attacks
are the interesting ones. (The internet attacking you is not news, you
attacking the internet definitely is news.)
You might do better with this query on snort-users:
https://lists.sourceforge.net/lists/listinfo/snort-users
cheers,
Jamie
--
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
