|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] Alerts generated by hosts on which snort is runnung
From: Marcin Sura (slacklist
op.pl)
Date: Wed Sep 14 2005 - 17:25:25 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
At the beginning little description of my situation. I have linux
box with two interfaces. Eth0 - lan, eth1 - wan. I want snort to
watch attack only from the WAN.
I set up snort with definitions like below (in snort.conf):
var HOME_NET 83.17.xxx.xxx/30 # (my public subnetwork: my ip, ip
of DSL modem, network address and broadcast)
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 83.17.xxx.xxx
var HTTP_SERVERS 83.17.xxx.xxx
...
(rest of the conf file is, i think, default, without any strange
modifications)
I start snort to listen on eth1.
The problem is, that when i'm inspecting ACID i see my own server as
a source of many "attacks", port scans, etc. Destinations of "these"
attack are often normal www sites, which lan users visits every day.
And this is my problem. How to set up these variables, so my snort
will detect only real attacks? FROM internet to my server, NOT form
my server to internet :)
--
Pozdrawiam
Marcin, slacklistop.pl
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]