LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-21-2013, 08:52 AM   #1
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Rep: Reputation: 32
snort false positives


I have some snort rules setup in the default settings (except for the community sip and virus ones which didn't work and instead started generating errors and false positives) I now want to disable a rule that is generating these reports
Code:
MISC UPnP malformed advertisement
There's too many of these alerts and I am now under the impression that these are false positives and I want to know which rule I need to disable in order to stop getting these reports
I am also getting these alerts
Code:
COMMUNITY WEB-MISC Proxy Server Access
Which rules do I need to disable to stop receiving these alerts?
 
Old 02-21-2013, 12:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
See /etc/snort/threshold.conf or configure Oinkmaster to handle it?
 
Old 02-21-2013, 09:25 PM   #3
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
I just want to know which rule files are generating these alerts
 
Old 02-22-2013, 05:47 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Ah, OK easiest is to grep the sid-msg.map for it or recursively grep the directory where your Snort rules reside. The SID of the first rule is 1384 IIGC.
 
Old 02-23-2013, 09:53 AM   #5
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
How do I recursively search the directory that the rule files are located, I know how to grep a single file for text bit I have never done more than one at a time, and whenever it finds a match hire will I know which file it was found in
 
Old 02-23-2013, 11:46 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Both questions are not related to Snort but to 'grep' use and 'man grep' would have shown "-r" and "-H" usage:
Code:
grep -Hr "UPnP malformed advertisement" /etc/snort
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Both chkrootkit and rkhunter find suspicious files, are they false positives? theif519 Linux - Newbie 2 06-28-2011 08:42 PM
Rkhunter false positives? Amdx2_x64 Linux - Security 2 10-25-2010 05:19 PM
unable to remove rkhunter false positives. permalac Linux - Security 2 11-07-2008 01:23 PM
apache / mod_security: fixing false positives jrtayloriv Linux - Server 3 03-01-2008 04:03 PM
Chkrootkit False Positives Sabicas Linux - Software 0 08-03-2004 12:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration