Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    First shot at Snort…

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 951 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AR15USR
      last edited by

      I've fired up Snort on pfSense 2.3 and have had it running for a day or so in non-blocking mode. I am seeing a lot of these two alerts as seen in this attachment.

      Both SourceIPs are my WAN IP. The destination for rule 141:1 resolves to my websites IMAP email server. The destination for rule 137:1 resolves to Apple.

      So I'm pretty sure these are false positives, am I wrong? If indeed they are false, then can I safely disable the two rules? Thats how I understand you are supposed to do it, correct?

      log1.png
      log1.png_thumb


      2.6.0-RELEASE

      1 Reply Last reply Reply Quote 0
      • A
        Abhishek
        last edited by

        i have that rule in my supress List

        suppress gen_id 137, sig_id 1

        2.3-RC (amd64)
        built on Mon Apr 04 17:09:32 CDT 2016
        FreeBSD 10.3-RELEASE
        Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

        darkstat 3.1.2_1
        Lightsquid 3.0.3_1
        mailreport 3.0_1
        pfBlockerNG 2.0.9_1  
        RRD_Summary 1.3.1_2
        snort 3.2.9.1_9  
        squid 0.4.16_1  
        squidGuard 1.14_1
        syslog-ng 1.1.2_2

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.