I installed Snort last week. Amazing bit of kit it is, and along with
ACID (http://www.cert.org/kb/acid/) provides a good report of what the
network is doing.
Unfortunetly there are some misbehaving boxes around. A Zyxel ISDN TA is
misbehaving on another IP network (same physical network though) and
it's sending traceroutes to the broadcast address for that network. That
in turn is being picked up by Snort and reported.
I'd like to figure out some way of ignoring stuff from that other
network if possible.
The machine Snort is running on is a Linux kernel 2.0.36 box using
ipfwadm, Snort sets the interface to promiscious, but I'm not sure how
to block out the other network traffic because it's not clear to me that
it's either incoming or outgoing traffic (it's a different network after
all!). Have I confused you all enough now? I'll just go lie down..
Donncha.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
