Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-users > 03 > 031637.html (Request Expert snort.org Support)

RE: [Snort-users] Same src/dst

From: Brei, Matt <mbrei(at)medclaiminc.com>
Date: Mon Mar 31 2003 - 22:18:15 EST


I put them in the local rules. I don't know if this is the best place to put them as far as performance goes. But this seems to be the logical place to put them.  

Matt  

-----Original Message-----
From: David Alonso De La Vega Tapage [mailto:delavegad@bancoaliado.com] Sent: Monday, March 31, 2003 8:09 AM
To: Brei, Matt
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Same src/dst  

Question ..

where is the exact right place to put these rules .. ? to mantain the better performace of snort ..

Thanx in advance ..

Cheers,

David Alonso

Do you need help?X

Brei, Matt wrote:

     I have been seeing a lot of these "same SRC/DST" alerts even after adding two local rules to pass them. I think these alerts are due to the fact that there is a DNS server running on this machine and it is using itself for its name resolution.   

#3-(4-1434)

   BAD TRAFFIC same SRC/DST 

   2003-03-30 18:49:29    
   10.13.110.254:1026    
   10.13.110.254:53

   UDP  
#4-(4-1435)

   BAD TRAFFIC same SRC/DST 
   2003-03-30 18:49:29    
   10.13.110.254:53    
   10.13.110.254:1026

   UDP   The two local rules are as follows:  

  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)  

pass ip 10.13.110.254 1026 -> 10.13.110.254 53 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)  

These alerts are filling the database rather quickly. Please help. I have searched the mailing list archives as well as Usenet with no helpful results.  

Matt    


This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users       
 
  • Message from InterScan E-Mail VirusWall NT ******
    • No virus found in attached file noname.htm

Este correo ha sido revisado y esta libre de virus. Disclaimer 

*****************     End of message     ***************
 
  
 



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Mon Mar 31 22:50:13 2003
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:50:34 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library