OK, I've just started using this fine program, and I'm trying to eliminate a
false positive. I'm doing something wrong that I'm sure is obvious, but
after four days of staring at it I need more eyes.
WhatsUp is doing portscans on my internal network, which is a Good Thing.
The logs say
Received From: saratoga.denmantire.com->/var/log/messages
Rule: 20151 fired (level 11) -> "Multiple IDS events from same source ip."
Portion of the log(s):
Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)
TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
Jun 3 15:34:03 saratoga.denmantire.com snort[27022]: [122:19:0] (portscan)
UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
Jun 3 15:34:03 saratoga.denmantire.com snort[27016]: [122:19:0] (portscan)
UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
Jun 3 15:33:50 saratoga.denmantire.com snort[27016]: [122:25:0] (portscan)
ICMP Sweep {PROTO255} 192.168.0.150 -> 192.168.0.201
so I want a generalized 'ignore this' for the portscans coming out of
192.168.0.150. I thought that putting this into local_rules would take care
of it:
<rule id="1002020" level="0">
<if_sid>20151</if_sid>
<regex>snort\.*(portscan)\.*{PROTO255} 192.168.0.150 -></regex>
<description>Portsweep from whatsup. It's OK.</description>
</rule>
but it's obviously not doing what I wanted it to. What am I not seeing
here?
Thanks,
--
Tim Boyer
Director
Information Systems and Engineering Projects
Denman Tire Corporation
[EMAIL PROTECTED]
