SNORT mistaken classification



  • I encountered a weird behavior from SNORT today. It blocked a valid, useful IP (212.146….), which has happened before, only this time with the reason "ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 24".

    I checked the files /usr/local/etc/snort/rules/emerging-compromised.rules and /usr/local/etc/snort/rules/emerging-compromised-ips.txt , but the IP is not there. Is it a case of mistaken classification, a display error or just some kind of fuzzy rule that matched the traffic?



  • Did you double-check whether or not the rule specified a netblock that might encompass the IP?

    Bill