RE: [Snort-users] Alerts generated by hosts on which snort is runnung
This is a discussion on RE: [Snort-users] Alerts generated by hosts on which snort is runnung within the Snort forums, part of the System Security and Security Related category; Are you sure that eth1/snort interface being checked is the WAN port???=20 Sound like maybe not. Also, check ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-15-2005
|
|||
|
|||
RE: [Snort-users] Alerts generated by hosts on which snort is runnung
Are you sure that eth1/snort interface being checked is the WAN port???=20
Sound like maybe not. Also, check out BASE instead of ACID. ACID is no longer being improved, while BASE is a fork of ACID and is being improved. http://sourceforge.net/projects/secureideas/ Bruce. -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Marcin Sura Sent: Wednesday, September 14, 2005 6:25 PM To: snort-users@lists.sourceforge.net Subject: [Snort-users] Alerts generated by hosts on which snort is runnung Hi At the beginning little description of my situation. I have linux box with two interfaces. Eth0 - lan, eth1 - wan. I want snort to watch attack only from the WAN. I set up snort with definitions like below (in snort.conf): var HOME_NET 83.17.xxx.xxx/30 # (my public subnetwork: my ip, ip of DSL modem, network address and broadcast) =20 var EXTERNAL_NET !$HOME_NET =20 var SMTP_SERVERS 83.17.xxx.xxx var HTTP_SERVERS 83.17.xxx.xxx ... (rest of the conf file is, i think, default, without any strange modifications) I start snort to listen on eth1. The problem is, that when i'm inspecting ACID i see my own server as a source of many "attacks", port scans, etc. Destinations of "these" attack are often normal www sites, which lan users visits every day. And this is my problem. How to set up these variables, so my snort will detect only real attacks? FROM internet to my server, NOT form my server to internet :) -- Pozdrawiam Marcin, slacklist@op.pl =20 ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
