From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EYrWD-0000wq-AS for garchives@archives.gentoo.org; Sun, 06 Nov 2005 20:53:37 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA6KnhPj000505; Sun, 6 Nov 2005 20:49:43 GMT Received: from indigorobot.com (rrcs-24-73-229-216.se.biz.rr.com [24.73.229.216]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA6KeLQ5020856 for ; Sun, 6 Nov 2005 20:40:21 GMT Subject: Re: [gentoo-security] Snort alert with Squid ? From: xyon To: gentoo-security@lists.gentoo.org In-Reply-To: <200511061121.51020.brian@braverock.com> Content-Type: text/plain Date: Sun, 06 Nov 2005 15:40:19 -0500 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit X-Spam-Score: -2.8 (--) X-Spam-Report: Spam detection software, running on the system "www-dev1.indigorobot.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I concur. Snort is a great program, but the false positives are many. What are the errors that it is tripping? Many people have to custom-tailor their snort rules (by disabling problem rules) to allow legitimate traffic. [...] Content analysis details: (-2.8 points, 3.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.8 ALL_TRUSTED Did not pass through any untrusted hosts Message-Id: X-Archives-Salt: 9d505c57-96de-4956-bfda-29b29df77a84 X-Archives-Hash: 799a2aece9ea03223d447c5e84e33d04 I concur. Snort is a great program, but the false positives are many. What are the errors that it is tripping? Many people have to custom-tailor their snort rules (by disabling problem rules) to allow legitimate traffic. One thing that helps me is I have snort emerged with 'USE="flexresp inline"', and then used oinkmaster to convert all my tcp alert rules to drop. It helps a little in diagnosing false positives. On Sun, 2005-11-06 at 11:21 -0600, Brian G. Peterson wrote: > On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote: > > I could use some help here. I have emerged Snort on my system here (along > > with SnortSnarf) and have been watching the alerts. What is causing my > > concern it that my server is being reported as a source for serveral web > > based attack signatures to a host of unknown destinations. I have spent > > some time cleaning and rebuilding the server with no luck until I turned > > off Squid. > > Could you please paste in copies of the warnings/alerts;log entries you are > seeing? > > Also, have you done a packet capture manually on that port to see what is > going on? > > It is about equally likely that snort is giving you a false positive as it is > that anything is wrong with squid... > > Regards, > > - Brian -- gentoo-security@gentoo.org mailing list