[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: regex question

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: regex question
From: "Tim Boyer" <tim@xxxxxxxxxxxxxx>
Date: Mon, 4 Jun 2007 20:10:51 -0400
Thread-index: Acem9BZRnTXmAa+BRIygYsSDVZuJOgAEYpeA

Since these prot scan alerts are from the Snort sfportscan preprocessor, your best option is tune out false positives from your IDS. Tuning at the log analysis layer works, of course, but general rule is to always move your tuning as far upstream as possible.

In this case, modify the "ignore_scanners" option in your snort.conf and tune out known source IP's that are legitimately scanning your network.

Tom, that sure makes sense - why have snort report it and then OSSEC ignore it if I don't want to see it in the first place? Thanks much...

--
Tim Boyer
Director
Information Systems and Engineering Projects
Denman Tire Corporation
tim@xxxxxxxxxxxxxx

References:
- [ossec-list] regex question
  - From: Tim Boyer
- [ossec-list] Re: regex question
  - From: Tom Le

Prev by Date: [ossec-list] Re: Moving Ossec
Next by Date: [ossec-list] Re: regex question
Previous by thread: [ossec-list] Re: regex question
Next by thread: [ossec-list] Moving Ossec
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.