Why I did not get any alert is because I got an error.
If I commented out sfportscan, I got an error
"Unknown rule type: memcap" if I run from comnand
snort -c -l and I even could not start the snort
service. After I uncomment the sfportscan, I have no
problem with -c -l and the service can be restarted.
(I followd the doc on the winsnort to install snort as
a service)
what am I missing?
Thanks,
Peter
--- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:
You won't get any portscan alerts if you comment
out, and thus do not
run, sfportscan.
You should still get http_inspect alerts if you have
not suppressed
them.
Bruce
-----Original Message-----
From: Peter Rodger [mailto:prodger2008@yahoo.com]
Sent: Wednesday, October 26, 2005 10:22 AM
To: Briggs, Bruce; s
Subject: RE: [Snort-users] Is this right one?
Bruce,
Thank you. If I commented #preprocessor sfportscan,
i got no alert at all. Is this normal?
BTW, how do I find out the dropped packets from BASE
console? (I have a Winsnort on windows 2003, MSSQL
and BASE ocnsole)Currently, the snort box is palced
inside firewall and I span the PIX port to the snort
monitoring port. (I access it from manager interface
on another NIC of the Snort box)
Any suggestions?
Peter
-- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:
The downside is that you don't get alerts of
possible port scans.
Too much noise for my setup and not enough control
over tuning the
portscan alerts for me.
Bruce
-----Original Message-----
From: Peter Rodger [mailto:prodger2008@yahoo.com]
Sent: Tuesday, October 25, 2005 12:46 PM
To: Briggs, Bruce; s
Subject: RE: [Snort-users] Is this right one?
Bruce,
Thanks for your help as always. Currently, I did
the
same thing and comment out portscan in the
snort.conf.
I do not know what's the downside about this?
I am getting too much inerest in snort and try to
learn as a baby. Please forgive my newbabie
questions.
Thank you,
Peter
--- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:
suppress gen_id 119, sig_id 4 works for me.
I don't run portscan, so I've not tried suppress
on
those alerts.
Bruce
-----Original Message-----
From: Peter Rodger
[mailto:prodger2008@yahoo.com]
Sent: Tuesday, October 25, 2005 12:07 PM
To: Briggs, Bruce; Eric Maheo; s
Subject: RE: [Snort-users] Is this right one?
Hi,
Thanks for your help and it works (only
monitoring
exchange servers' traffic) .
I still could not figure out why this one does
not
work as posted before:
snort] (portscan) Open Port unclassified
[snort] (portscan) UDP Portsweep unclassified
[snort] (http_inspect) BARE BYTE UNICODE
ENCODING
I have attempted to suppress these alerts in my
snort.conf file like the following:
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4
Could it be too much traffic that overkill the
snort
box and can not process suppress as indicated
above??
Currently, the snort box is palced inside
firewall
and
I span the PIX port to the snort monitoring
port.
Please give me some suggestions and hints.
Should
I
buy taps?
Thanks as always,
Peter
--- "Briggs, Bruce" <Bruce.Briggs@suny.edu>
wrote:
The format should be:
suppress gen_id 1, sig_id 1070
Make sure that you have an uncommented
include
on
snort.conf for
threshold.conf.
Also you could comment out sid_id 1070 in
web-misc.rules
Many use oinkmaster to automatically update
new
Snort sigs and keep mods
to their Snort rules.
Bruce
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]
On
Behalf Of Peter
Rodger
Sent: Tuesday, October 25, 2005 10:35 AM
To: s
Subject: [Snort-users] Is this right one?
Hi all,
I try to suppress this one event .
WEB-MISC WebDAV search access
I added suppress sid_id 1070 in the
threshold.conf.
Is this right?
Thanks,
Peter
__________________________________
Yahoo! FareChase: Search multiple travel sites
in
one click.
http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss
Inc.
Get Certified Today * Register for a JBoss
Training
Course
Free Certification Exam for All Training
Attendees
Through End of 2005
Visit
http://www.jboss.com/services/certification
for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:
=== message truncated ===
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
