First shot at Snort…

  • I've fired up Snort on pfSense 2.3 and have had it running for a day or so in non-blocking mode. I am seeing a lot of these two alerts as seen in this attachment.

    Both SourceIPs are my WAN IP. The destination for rule 141:1 resolves to my websites IMAP email server. The destination for rule 137:1 resolves to Apple.

    So I'm pretty sure these are false positives, am I wrong? If indeed they are false, then can I safely disable the two rules? Thats how I understand you are supposed to do it, correct?

  • i have that rule in my supress List

    suppress gen_id 137, sig_id 1

Log in to reply