So I have recently installed 9.307-6 Home Edition.
The IPS keeps sending me email notifications for:
Message........: (ftp_telnet) FTP response message was too long
Details........: www.snort.org/search
Time...........: 2015-02-04 23:10:22
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)
Source IP address: 205.156.51.233
Source port: 21 (ftp)
Destination IP address: Destination port: 36089
Which in this case I know is a false positive, its my weather station software logging into NOAA to ftp down a file....
I see in the IPS log:
2015:02:04-00:00:30 snort[4558]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="(ftp_telnet) FTP response message was too long" group="410" srcip="205.156.51.233" dstip="OUTSIDEIP" proto="6" srcport="21" dstport="45597" sid="6" class="Attempted User Privilege Gain" priority="1" generator="125" msgid="1"
Under Network Protection-> Global -> Local Networks I just have Internal Network.
I have added the sid="6" as an exclusion for rule 6 under Network Protection-> Intrusion Prevention -> Advanced -> Modified rules where just says 6 [disabled]
But for the life of me it keeps sending notifications on this rule!
I've even gone as far as try to look in the /etc/snort/rules for 'ftp_telnet', and 'FTP response message' and can't find anything that looks like rule 6.
What am I doing wrong? How do I disable this notification...
There has to be something simple here... it is just Snort after all.
This thread was automatically locked due to age.
