Gentoo Archives: gentoo-security

From: xyon <xyon@×××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Snort alert with Squid ?
Date: Sun, 06 Nov 2005 20:53:37
In Reply to: Re: [gentoo-security] Snort alert with Squid ? by "Brian G. Peterson"
I concur. Snort is a great program, but the false positives are many.
What are the errors that it is tripping? Many people have to
custom-tailor their snort rules (by disabling problem rules) to allow
legitimate traffic.

One thing that helps me is I have snort emerged with 'USE="flexresp
inline"', and then used oinkmaster to convert all my tcp alert rules to
drop. It helps a little in diagnosing false positives.

On Sun, 2005-11-06 at 11:21 -0600, Brian G. Peterson wrote:
> On Sunday 06 November 2005 10:03 am, aa6qn@×××××××××××.net wrote: > > I could use some help here. I have emerged Snort on my system here (along > > with SnortSnarf) and have been watching the alerts. What is causing my > > concern it that my server is being reported as a source for serveral web > > based attack signatures to a host of unknown destinations. I have spent > > some time cleaning and rebuilding the server with no luck until I turned > > off Squid. > > Could you please paste in copies of the warnings/alerts;log entries you are > seeing? > > Also, have you done a packet capture manually on that port to see what is > going on? > > It is about equally likely that snort is giving you a false positive as it is > that anything is wrong with squid... > > Regards, > > - Brian
-- gentoo-security@g.o mailing list