Strange events being triggered in Snort
Hi, I'm hoping that someone will be able to shed some light on a bit of a strange problem I'm having with snort, snortcentre 2.x and BASE. This is a home set up so the sensor is also used for more mundane tasks like mySQL, Apache, web browsing, playing games etc. It seems that whenever the sensor makes a DNS query, it triggers an event in BASE with an SID of 9. Now, as far as I can see, event SID 9 doesn't exist. The set up is as follows: - Sensor runs SuSE 9.3 Pro with mySQL, Apache and snort - Snort is handled via SnortCentre 2.x which is configured to save alerts to an SQL database that BASE reads. - I have set $HOME_NET to be the private subnet of my LAN - I have set $EXTERNAL_NET = !$HOME_NET - Searching for SID 9 in snortcentre and on the snort webpage yields no results I have also had a look at the underlying databases. BASE's database has an entry for SID 9, but SnortCentre's doesn't. Any help or ideas would be gratefully receieved - I'm stumped. Thanks, Neil
participants (1)
-
Neil Anderson