| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 4.1 Errors loading rules Up: The Snort FAQ Previous: 3.22 How do I
4 Rules and Alerts
Subsections
- 4.1 Errors loading rules files
- 4.2 Snort says ``Rule IP addr (``1.1.1.1'') didn't x-late, WTF?''
- 4.3 Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...
- 4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF?
- 4.5 I'm getting large amounts of
some alerts type
. What should I do? Where can I go to find out more about it?
- 4.6 What about all these false alarms?
- 4.7 What are all these ICMP files in subdirectories under /var/log/snort?
- 4.8 Why does the program generate alerts on packets that have pass rules?
- 4.9 What are all these ``ICMP destination unreachable'' alerts?
- 4.10 Why do many Snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
- 4.11 What are these IDS codes in the alert names?
- 4.12 Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
- 4.13 What about ``CGI Null Byte attacks?''
- 4.14 Why do certain alerts seem to have `unknown' IPs in ACID?
- 4.15 Can priorities be assigned to alerts using ACID?
- 4.16 What about `SMB Name Wildcard' alerts?
- 4.17 What the heck is a SYNFIN scan?
- 4.18 I am getting too many ``IIS Unicode attack detected'' and/or ``CGI Null Byte attack detected'' false positives. How can I turn this detection off?
- 4.19 How do I test Snort alerts and logging?
- 4.20 What is the difference between ``Alerting'' and ``Logging''?
- 4.21 Are rule keywords ORed or ANDed together?
- 4.22 Can Snort trigger a rule by MAC addresses?
- 4.23 How can I deactivate a rule?
- 4.24 How can I define an address to be anything except some hosts?
- 4.25 After I add new rules or comment out rules how do I make Snort reload?
- 4.26 Where do the distance and within keywords work from to modify content searches in rules?
- 4.27 How can I specify a list of ports in a rule?
- 4.28 How can I protect web servers running on ports other than 80?
- 4.29 How do I turn off ``spp:possible EVASIVE RST detection'' alerts?
- 4.30 Is there a private SID number range so my rules don't conflict?
- 4.31 How long can address lists, variables, or rules be?
- 4.32 What do the numbers (ie: [116:56:1]) in front of a Snort alert mean?
| site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |