First shot at Snort…
-
I've fired up Snort on pfSense 2.3 and have had it running for a day or so in non-blocking mode. I am seeing a lot of these two alerts as seen in this attachment.
Both SourceIPs are my WAN IP. The destination for rule 141:1 resolves to my websites IMAP email server. The destination for rule 137:1 resolves to Apple.
So I'm pretty sure these are false positives, am I wrong? If indeed they are false, then can I safely disable the two rules? Thats how I understand you are supposed to do it, correct?
-