After spinning up a VM for Snort (actually BT5..) and starting snort, I'm getting numerous of these:
SNMP Public Access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.1.50.61097 -> 192.168.1.47:161"
Where the .50 address is the server, and the .47 adderss is the BT5 box.
I'm guessing this is because the Snort box is running as a VM on Hyper-V using the Virtual Network Adapter, and it has to do with the traffic in use by the VM and the hypervisor. Sadly, this is not Server 2012 with the cool new port mirroring feature, it is Server 2008R2.
I'm not a whiz at snort rules and so far can't find any decent answers as to how to create a snort rule to ignore this UDP traffic between these two endpoints.
Can you help me out?