Ok, so I just upgraded to the 7.5 versions last week, and from what I have been reading the IPS is a little bit different. Ever since the upgrade I have been filling my log files with 15 Gb of the same message and I am not sure how to disable this particular rule, I though I was on the right track but apparently not. Here is the log entry:
2009:11:19-20:39:12 aiku_asg snort[12667]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="242" srcip="10.1.1.91" dstip="10.1.1.91" proto="6" srcport="50359" dstport="51413" sid="200012" class="" priority="0" generator="1" msgid="0"
I went to the Network Security -> IPS -> Advanced tab and manually modified rule 200012 (per the SID in the message) and disabled logging. That didn't work, so I disabled the rule completely, and it still is logged. Maybe I am using the wrong ID Number? Should I be using 2101?
BTW, the computer IP listed is a static IP'd computer and BitTorrent is the trigger for the IPS logs. I always expect BitTorrent to be unruly, but not this crazy. Oh, and another bit of information. I have DNAT setup to forward incoming port 51413 to that particular computer.
Any help would be appreciated.
This thread was automatically locked due to age.
