LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-03-2003, 05:36 PM   #1
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
snort logs get flooded


Simple question I hope: how can I stop these alerts from being logged?
They come from my ISP and I'm pretty sick of getting 3MB a day just of these alerts. Here's one: (although the others are pretty much the same, the local ip differs obviously and the remote ip changes from time to time).
Code:
06/03-08:41:04.379969  [**] [1:620:2] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.104:1063 -> 213.224.83.135:8080
 
Old 06-04-2003, 05:47 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
I think it's good to have some sort of outbound traffic checking, but this behaviour could stem from you erring in the setup of variables like $HOME_NET in snort.conf. Please verify.

If your variables are OK, then there's a few ways to "mute" these alerts:
- Disable the rule,
- Change the flow in the rule towards the $HOME_NET,
- Write a "pass" rule,
- Add a BPF filter.

If 213.224.83.13? only offer HTTP-PROXY, and you trust them, then the easiest way IMHO would be to tack on a BPF filter. Read the Snort docs on how to do that, the manpage for tcpdump may help you construct the filter as well, and if you can't figure it out at least post what you tried.
 
Old 06-04-2003, 04:36 PM   #3
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Original Poster
Rep: Reputation: 47
Cheers unSpawn, no more floods now
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reading SNORT Logs WarlockofVirgo Linux - Networking 1 08-13-2004 09:24 AM
My logs are being flooded from pings from my router(i think)!!! rmanocha Linux - Networking 8 03-11-2004 01:42 PM
Reading Snort logs bigdogg Linux - Software 0 10-27-2003 03:22 PM
What do these snort logs mean? tarballedtux Linux - Security 1 08-31-2002 10:15 PM
Explain these Snort logs... the theorist Linux - Security 9 04-27-2002 09:21 PM


All times are GMT -5. The time now is 12:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration