Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Alert Log Questions

    IDS/IPS
    3
    5
    702
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Presbuteros last edited by

      I have attached a recent Snort Alert Log screen capture. Snort is set up on WAN as alert only at the moment.

      My questions are:

      What should I do in Snort with the portscan offenders alert?

      What should I do in Snort about the (spp_arpspoof) Unicast ARP request alert?

      Thanks for your help.


      1 Reply Last reply Reply Quote 0
      • A
        asdf1nit last edited by

        Im looking for the same information as you. This just started happening on one of my vlans. Most of the other interfaces just say Unknown Traffic, Not Suspicious Traffic or some other alert that I need to clean up but my main vlan thats used started having an overwhelming number of these alerts.

        I have a 300~ Device network. I'm not all that new to pf because I use it at home but now as the only IT on staff and trying to close things down with snort but because of all the alerts I'm needing to get some more insight. I've put in for the Netgate pfSense training and am ordering some books on snort and pf management.

        Any other resources/suggestions are appreciated.

        ![Screen Shot 2017-10-31 at 4.25.46 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 4.25.46 PM.png)
        ![Screen Shot 2017-10-31 at 4.25.46 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 4.25.46 PM.png_thumb)

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          You will find the ARP Spoof preprocessor to be very chatty in the logs.  It also can't detect many types of ARP attacks.  That's not a knock on Snort.  It's just the nature of the beast with ARP attacks.  You can Google search "arp attacks" to find several papers on this topic.  My humble opinion is the ARP Spoof preprocessor is marginally useful at best.  And when you use it, you must provide MAC/IP address pairs for it to monitor.  There is a lot of maintenance in that task with a large network.  I said this in another thread earlier about the ARP Spoofing preprocessor:  it's one of those things that sounds better in theory than it actually works in practice.

          The Snort portscan preprocessor can also be quite sensitive and prone to false positives.  There are some sensitivity settings on the PREPROCESSORS tab down in the Portscan section.  Try bumping those up to make it less sensitive.  You will still find that even when set to the least sensitive setting, it will still false positive now and then.

          Bill

          1 Reply Last reply Reply Quote 0
          • A
            asdf1nit last edited by

            Thanks for the info I'll go play with these settings. I've just started to implement Snort so having never done it before theres the learning curve I've got to deal with.

            1 Reply Last reply Reply Quote 0
            • P
              Presbuteros last edited by

              Thanks Bill.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post