[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Strange events being triggered in Snort



Hi,

I'm hoping that someone will be able to shed some light on a bit of a strange 
problem I'm having with snort, snortcentre 2.x and BASE.

This is a home set up so the sensor is also used for more mundane tasks like 
mySQL, Apache, web browsing, playing games etc.  It seems that whenever the 
sensor makes a DNS query, it triggers an event in BASE with an SID of 9.  
Now, as far as I can see, event SID 9 doesn't exist.

The set up is as follows:
- Sensor runs SuSE 9.3 Pro with mySQL, Apache and snort
- Snort is handled via SnortCentre 2.x which is configured to save alerts to 
an SQL database that BASE reads.
- I have set $HOME_NET to be the private subnet of my LAN
- I have set $EXTERNAL_NET = !$HOME_NET
- Searching for SID 9 in snortcentre and on the snort webpage yields no 
results

I have also had a look at the underlying databases.  BASE's database has an 
entry for SID 9, but SnortCentre's doesn't.

Any help or ideas would be gratefully receieved - I'm stumped.

Thanks,
Neil

Attachment: pgpCySOEttASk.pgp
Description: PGP signature