Hi,
I have an internal firewall between two parts of my network. I'm trying to clean up the IPS log so I can see 'real' events so I want to fine tune the configuration to not give me false positives (as much as I can). How do I relate the messages in the log back to category choices in the "Attack Patterns" configuration? For example I get this every 20 minutes or so:
snort[2530]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="NETBIOS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt" group="110" srcip="172.16.6.122" dstip="172.16.5.16" proto="6" srcport="4266" dstport="139" sid="4413" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
This is an old NT domain controller talking to a Linux box with a SAMBA installation. The functionality is fine so blocking this event doesn't seem to be a problem but I'd like to eliminate it from the logs. But which category is that likely to be coming from?
I suppose my question is generic - is there any way to relate the messages to the configuration options that enable them? Thanks.
Mike
This thread was automatically locked due to age.
