Thanks for your help.
did you enable the include
threshold.conf at the end
of your snort.conf?
YES!
Also, I changed to
suppress gen_id 100, sig_id 1, track by_src, ip
10.1.10.6
suppress gen_id 100, sig_id 2, track by_src, ip
10.1.10.6
suppress gen_id 100, sig_id 3, track by_src, ip
10.1.10.6
and sill with ignor_scanners statement. But, I still
get these alerts:
************************
ID < Signature > < Timestamp > < Source Address
< Dest. Address > < Layer 4 Proto >
#0-(2-11683) [snort] spp_portscan
from 10.1.10.6: 1 connections across 1 hosts: TCP(1),
UDP(0) 2005-11-16 10:50:39 10.1.10.6
unknown IP
#1-(2-11682) [snort] spp_portscan
from 10.1.10.6: 1 connections across 1 hosts: TCP(1),
UDP(0) 2005-11-16 10:49:59 10.1.10.6
unknown IP
#2-(2-11681) [snort] spp_portscan
from 10.1.10.6: 1 connections across 1 hosts: TCP(1),
UDP(0) 2005-11-16 10:49:18 10.1.10.6
unknown IP
*********************
any clue and I am totally lost.
Any suggestions?
Thanks,
John
--- Eric Maheo <eric.maheo@appliedwatch.com> wrote:
Just my 2 cents.. did you enable the include
threshold.conf at the end
of your snort.conf?
you can add a cidr but consult the snort_manual.pdf.
This manual is in your /doc of your sources.
Download from snort.org and
untargz your file and you will see this
snort_manual.pdf in the /doc
directory. At the page 83 you have your answer.
ex: suppress gen_id 1, sig_id 1234, track by_dst, ip
10.1.0.0/24
On Wed, 2005-11-16 at 07:07 -0800, John Friedman
wrote:
Thanks for all suggestions and help that have been
given to me.
Here is my config now:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
ignore_scanners
{[10.1.10.5,10.1.10.6] }
I restared the snort service and I still get these
alerts.
I add these to the threshold.conf:
suppress gen_id 100, sig_id 1
suppress gen_id 100, sig_id 2
suppress gen_id 100, sig_id 3
and I still get these alerts. no idea why?
Do you know what's the syntax for ignore_scanners
for
one block IP such as 10.1.10.0/24?
Thank you so much!
John
--- Joel Esler <joel.esler@sourcefire.com> wrote:
Because you have to include it in the line
prior..
See how the lines
prior to that have "\"? You have to put the "\"
in
the line prior to
the ignore_scanners line if you want it
included..
J
On Nov 15, 2005, at 3:14 PM, John Friedman
wrote:
Thank you for your help. Here is the config
in my
snort.conf
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
ignore_scanners { 10.1.10.6 }
But, If I add ignore_scanners { 10.1.10.6 } to
the
snort.conf, the snort service can not be
started.
If
I remove ignore_scanners { 10.1.10.6 }, then
the
snort
service is started fine. No idea why?
Thanks,
John
--- Joel Esler <joel.esler@sourcefire.com>
wrote:
You need to put them into the sfportscan
preprocessor as either
ignore_scanned or ignore_scanner if you want
to
tune
the portscan
preprocessor.
Joel Esler
On Nov 15, 2005, at 11:27 AM, John Friedman
wrote:
I constantly get these alerts from the
citrix
server:
ID < Signature > < Timestamp > <
Source
Address
< Dest. Address > < Layer 4 Proto >
#600-(2-7409) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1
hosts:
TCP(1),
UDP(0) 2005-11-15 09:49:12
10.1.10.6
unknown IP
#601-(2-7410) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1
hosts:
TCP(1),
UDP(0) 2005-11-15 09:49:19
10.1.10.6
unknown IP
#602-(2-7411) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1
hosts:
TCP(1),
UDP(0) 2005-11-15 09:49:59
10.1.10.6
unknown IP
*********
I use these
suppress gen_id 100, sig_id 1
suppress gen_id 100, sig_id 2
suppress gen_id 100, sig_id 3
but it does not work.
Any idea?
Thanks,
John
--- Jeruvy <jeruvy@shaw.ca> wrote:
Sorry about that, I routinely delete emails
from
@yahoo.com due to spam.
What is the alert SID? Do you use
oinkmaster?
J.
j e r u v y a t s h a w d o t c a
-----Original Message-----
From: John Friedman
[mailto:jfriedmanx@yahoo.com]
Sent: Tuesday, November 15, 2005 8:45 AM
To: snort
Subject: RE: [Snort-users] No clue?
Hi all,
Since I did not get any reply on this, is
there
any way to
suppress or pass this alert?
Thanks,
John
John Friedman <jfriedmanx@yahoo.com>
wrote:
Thanks for your pointing out. Here is
the
info
again:
ID <
__________________________________
Yahoo! FareChase: Search multiple travel
sites
=== message truncated ===
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
