Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems with snort

From: Nick Moore <nmoore () sourcefire com>
Date: Mon, 26 Mar 2012 11:43:22 -0500
Philip,

Ping floods I haven't worked with as much, but port scanning will not
necessarily alerts outside the portscan preprocessor, which is off by
default. If you really want to test your rulebase, I would suggest
downloading some interesting pcaps and testing your snort rulebase against
them. You can find a bunch of them here:

http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_files

When it comes time to tune your rulebase for your network, please consider
the rules that are applicable to your environment. For example, if you have
a Windows environment with client machines (e.g. most user vlans or home
networks), don't turn on the Linux/Unix rules and those pertaining to
services not present in your network, e.g. DNS, Web, SQL.... If you're not
sure what's in your environment, run nmap against it to gather open ports
and operating systems.

Happy Snorting!

Nick

On Mon, Mar 26, 2012 at 5:24 AM, Philip Edwards <phil.e () clara net> wrote:






Hello everybody,

I've recently setup snort 2.9.2 on Ubuntu, and used oinkmaster to get

the 2921 rules.

It runs fine in Daemon mode and the base interface is reporting alerts.

The machine only currently has one NIC so i'm attempting to generate alerts
from my laptop on the same network. I've tried ping flooding it and port
scanning it but every alert is currently showing up as a "Community SIP
TCP/IP message flooding directed to SIP proxy SID 100000160".


Ive been led to believe that since i haven't tuned it yet these are

false positives and will disappear when i have.

My question is why are portscans and ping floods showing up as the same

thing and why none of the three SID's detected so far appear in the online
database?


Thanks

Phil.




------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org     www.immunet.com

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: