RE: [Snort-users] Is this right one?
This is a discussion on RE: [Snort-users] Is this right one? within the Snort forums, part of the System Security and Security Related category; Hi, Thanks for your help and it works (only monitoring exchange servers' traffic) . I still could not figure out why ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-25-2005
|
|||
|
|||
RE: [Snort-users] Is this right one?
Hi,
Thanks for your help and it works (only monitoring exchange servers' traffic) . I still could not figure out why this one does not work as posted before: snort] (portscan) Open Port unclassified [snort] (portscan) UDP Portsweep unclassified [snort] (http_inspect) BARE BYTE UNICODE ENCODING I have attempted to suppress these alerts in my snort.conf file like the following: suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 19 suppress gen_id 119, sig_id 4 Could it be too much traffic that overkill the snort box and can not process suppress as indicated above?? Currently, the snort box is palced inside firewall and I span the PIX port to the snort monitoring port. Please give me some suggestions and hints. Should I buy taps? Thanks as always, Peter --- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote: > The format should be: > suppress gen_id 1, sig_id 1070 > > Make sure that you have an uncommented include on > snort.conf for > threshold.conf. > > Also you could comment out sid_id 1070 in > web-misc.rules > > Many use oinkmaster to automatically update new > Snort sigs and keep mods > to their Snort rules. > > Bruce > > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net] On > Behalf Of Peter > Rodger > Sent: Tuesday, October 25, 2005 10:35 AM > To: s > Subject: [Snort-users] Is this right one? > > Hi all, > I try to suppress this one event . > WEB-MISC WebDAV search access > I added suppress sid_id 1070 in the threshold.conf. > Is this right? > > Thanks, > > Peter > > > > > __________________________________ > Yahoo! FareChase: Search multiple travel sites in > one click. > http://farechase.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. > Get Certified Today * Register for a JBoss Training > Course > Free Certification Exam for All Training Attendees > Through End of 2005 > Visit http://www.jboss.com/services/certification > for more information > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
