Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] RE: Address on my network generating many alerts

from [Arthur DiSegna] Network Security [Permanent Link]
Subject: [Snort-users] RE: Address on my network generating many alerts
Date: Wed, 26 Apr 2006 15:16:43 -0400 
The box is installed with Suse 10.0 two network interfaces. 
One nic is on the internal network and not capturing any traffic
(HOME_NET = 192.168.0.0).  
The other nic has no IP and is capturing the data in the DMZ
(EXTERNAL_NET !HOME_NET). The port on the public switch has port
forwarding enabled. The only traffic this interface captures is publicly
addressable. 

Currently I'm using the default snort.conf with added bleeding snort
rules. I will keep reading.

Thanks

 AD

-----Original Message-----
From: Nigel Houghton [mailto:nigel@sourcefire.com] 
Sent: Wednesday, April 26, 2006 2:58 PM
To: Arthur DiSegna
Cc: snort-users@lists.sourceforge.net
Subject: Re: Address on my network generating many alerts

On  0, Arthur DiSegna <adisegna@authentium.com> wrote:

 
Hello,

I just installed SNORT for the first time and have noticed one of my 
servers generating a lot of traffic. Most of it is legitimate web 
traffic. How can I exclude the normal traffic while maintaining 
intrusion checks...


Start by tuning your setup, set your HOME_NET and EXTERNAL_NET variables
in your snort.conf and start from there. The HOME_NET is normally your
internal address space and the EXTERNAL_NET could be !$HOME_NET. The
default snort.conf is generously commented.

Then start looking at other variables in there and the preprocessor
options for tuning. You might also want to look at which rule groups are
enabled and disabled too.

The manual[0] is online and there are many documents in the doc
directory of the source tarball.

[0] http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] RE: Address on my network generating many alerts, Arthur DiSegna <=
Previous by Date:  RE: [Snort-users] Address on my network generating many alerts, Erik Mintz
Next by Date:  [Snort-users] Detecting Skype: anyone know how "Tom Online" do it?, Jason Haar
Previous by Thread:  [Snort-users] Address on my network generating many alerts, Arthur DiSegna
Next by Thread:  [Snort-users] Detecting Skype: anyone know how "Tom Online" do it?, Jason Haar
Indexes:  [Date] [Thread] [Top] [All Lists]