How to add exception in Short?
-
Hi!
I plug Snort module in PfSense, now i want to configure out it before blocking switch on.
I update Snort, then i have create snort-interface for internet network adapter.
In snort-interface i have switch on "Portscan Detection" preprocessor, in categories i have choose "snort_scan.rules". And then i have launch Snort.
In Snorts Alerts i started to see this records:
12/10-11:16:42 2 Attempted Information Leak x.x.x.x y.y.y.y1 122:5:1 PSNG_TCP_FILTERED_PORTSCAN
12/10-11:16:27 2 Attempted Information Leak x.x.x.x y.y.y.y2 122:7:1 PSNG_TCP_PORTSWEEP_FILTERED
Where x.x.x.x is ip of my external zabbix server, and y.y.y.y1, y.y.y.y2 are ip of my internal machines with Zabbix clients.
I have add zabbix server to WhiteList, plug it (zabbix server) to Snort-interface and relaunch Snort.
This don't help, in Alerts i see the same new records.
In Snort-interface (in Whitelist configuration) i have found this note:
Note:
This option will only be used when block offenders is on.
As i understand, Whitelist affects only on blocking.
How i can disable in Alert false traffic warning records, which are received from my external servers ?
Thanks for your help.
-
did you tried to search this packages section????
There are several topics on the subject, this recent one is an example:
http://forum.pfsense.org/index.php/topic,56550.0.html
