RES: snort- problems

Hello there,  

> 1) I was led to believe that Snort can run on one machine and

It is important to gather some other information about your network, ie. Is it switched?

It seems to me that you have a switched network, in which case you probably will need to
assign the "monitor port" to snort.  

> 2) Last night I had a bunch of alerts pop-up which said

These are false positive. This specific rule listens for the string "uid=0", so even this e-mail will probably trigger it because of this statement.

Load up the tcpdump log, and you'll probably see the html source code for the SANS and Snort website referencing to the "uid=0" string.

Best regards,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Auro Pontes
DGS Factoring

• Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
• Automatically Control P2P, IM and Spam Traffic
• Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

  ---