I concur. Snort is a great program, but the false positives are many. What are the errors that it is tripping? Many people have to custom-tailor their snort rules (by disabling problem rules) to allow legitimate traffic.
One thing that helps me is I have snort emerged with 'USE="flexresp inline"', and then used oinkmaster to convert all my tcp alert rules to drop. It helps a little in diagnosing false positives. On Sun, 2005-11-06 at 11:21 -0600, Brian G. Peterson wrote: > On Sunday 06 November 2005 10:03 am, [EMAIL PROTECTED] wrote: > > I could use some help here. I have emerged Snort on my system here (along > > with SnortSnarf) and have been watching the alerts. What is causing my > > concern it that my server is being reported as a source for serveral web > > based attack signatures to a host of unknown destinations. I have spent > > some time cleaning and rebuilding the server with no luck until I turned > > off Squid. > > Could you please paste in copies of the warnings/alerts;log entries you are > seeing? > > Also, have you done a packet capture manually on that port to see what is > going on? > > It is about equally likely that snort is giving you a false positive as it is > that anything is wrong with squid... > > Regards, > > - Brian -- [email protected] mailing list
