Snort Alert Log Questions



  • I have attached a recent Snort Alert Log screen capture. Snort is set up on WAN as alert only at the moment.

    My questions are:

    What should I do in Snort with the portscan offenders alert?

    What should I do in Snort about the (spp_arpspoof) Unicast ARP request alert?

    Thanks for your help.




  • Im looking for the same information as you. This just started happening on one of my vlans. Most of the other interfaces just say Unknown Traffic, Not Suspicious Traffic or some other alert that I need to clean up but my main vlan thats used started having an overwhelming number of these alerts.

    I have a 300~ Device network. I'm not all that new to pf because I use it at home but now as the only IT on staff and trying to close things down with snort but because of all the alerts I'm needing to get some more insight. I've put in for the Netgate pfSense training and am ordering some books on snort and pf management.

    Any other resources/suggestions are appreciated.

    ![Screen Shot 2017-10-31 at 4.25.46 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-31 at 4.25.46 PM.png)
    ![Screen Shot 2017-10-31 at 4.25.46 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-31 at 4.25.46 PM.png_thumb)



  • You will find the ARP Spoof preprocessor to be very chatty in the logs.  It also can't detect many types of ARP attacks.  That's not a knock on Snort.  It's just the nature of the beast with ARP attacks.  You can Google search "arp attacks" to find several papers on this topic.  My humble opinion is the ARP Spoof preprocessor is marginally useful at best.  And when you use it, you must provide MAC/IP address pairs for it to monitor.  There is a lot of maintenance in that task with a large network.  I said this in another thread earlier about the ARP Spoofing preprocessor:  it's one of those things that sounds better in theory than it actually works in practice.

    The Snort portscan preprocessor can also be quite sensitive and prone to false positives.  There are some sensitivity settings on the PREPROCESSORS tab down in the Portscan section.  Try bumping those up to make it less sensitive.  You will still find that even when set to the least sensitive setting, it will still false positive now and then.

    Bill



  • Thanks for the info I'll go play with these settings. I've just started to implement Snort so having never done it before theres the learning curve I've got to deal with.



  • Thanks Bill.


Log in to reply