|
snort logs get flooded
Simple question I hope: how can I stop these alerts from being logged?
They come from my ISP and I'm pretty sick of getting 3MB a day just of these alerts. Here's one: (although the others are pretty much the same, the local ip differs obviously and the remote ip changes from time to time). Code:
06/03-08:41:04.379969 [**] [1:620:2] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.104:1063 -> 213.224.83.135:8080 |
I think it's good to have some sort of outbound traffic checking, but this behaviour could stem from you erring in the setup of variables like $HOME_NET in snort.conf. Please verify.
If your variables are OK, then there's a few ways to "mute" these alerts: - Disable the rule, - Change the flow in the rule towards the $HOME_NET, - Write a "pass" rule, - Add a BPF filter. If 213.224.83.13? only offer HTTP-PROXY, and you trust them, then the easiest way IMHO would be to tack on a BPF filter. Read the Snort docs on how to do that, the manpage for tcpdump may help you construct the filter as well, and if you can't figure it out at least post what you tried. |
Cheers unSpawn, no more floods now :)
|
| All times are GMT -5. The time now is 06:27 AM. |