SNORT ET Alerts
-
Hello,
I just got SNORT set up and running and monitoring. I have two synologys in two separate networks. The the local synology is backing up to the remote synology.
I have been getting this alert:
This is using their proprietary backup apps. Should I be concerned? How do I verify if this is malicious or not?
-
Probably not malicious, but you would need to capture the traffic and analyze it against the actual threat to be 100% sure.
Administering an IDS is an adventure in learning something new every single day!
My suspicion is the backup traffic just happened to randomly match some byte pattern that rule is looking for, and thus it triggered.
-
can I set up snort to just capture when this rule is triggered? Or will it do it for all rules?
-
@powerextreme said in SNORT ET Alerts:
can I set up snort to just capture when this rule is triggered? Or will it do it for all rules?
No, the PCAP capture option is not rule specific. It would be for all rules. The easiest thing might be to just kick off the backup job on the Synology again and capture the traffic on the LAN interface (or whatever interface it is traversing) directly on pfSense using the network caputure feature under DIAGNOSTICS on the menu.
