Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] P2P traffic?

from [gary douglas] Network Security [Permanent Link]
Subject: [Snort-users] P2P traffic?
Date: Thu, 21 Jul 2005 15:31:27 -0500
I have just started using Snort and am new to it. I have seen a huge number of alerts of three types in particular. I think these are related and that is why I am posting them together. The alerts are:

(http_inspect) BARE BYTE UNICODE ENCODING
(portscan) TCP Portsweep
(portscan) Open Port

I have search the internet and have not found any reference to these alerts in combination. When I look at one of the Bare Byte Unicode packets, I find the following:

http://emule-project.net

These alerts are coming from computers with in the subnet I am monitoring and going to numerous different destination address all over the internet. I work at a University so we do not block P2P on our ResNet (Resident Hall Network). I know one of the users that is coming up in the top, is using P2P.

My question is, are these three alerts typical of P2P programs? Should I ignore them?

That brings up my second set of questions. I understand these are preprocess in Snort. I have gone into the threshold.conf and added the following lines:

suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 3
suppress gen_id 119, sig_id 4

I uncomment the line in the snort.conf, but I still get counts on these alerts. I have even added the suppress lines to the snort.conf and still receive alert counts. How do I stop these alerts from being watched for? Am I on the right track with this?

Thank you for the help.
Gary Douglas
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] P2P traffic?, gary douglas <=
Previous by Date:  [Snort-users] Undocumented SIDs, Willy, Andrew
Next by Date:  [Snort-users] Snort on Multiple Interfaces, Ron
Previous by Thread:  [Snort-users] Undocumented SIDs, Willy, Andrew
Next by Thread:  [Snort-users] Snort on Multiple Interfaces, Ron
Indexes:  [Date] [Thread] [Top] [All Lists]