Snort mailing list archives
Re: false positives?
From: Cilin <cilin5 () yahoo com>
Date: Mon, 29 Nov 2004 09:06:00 -0800 (PST)
Jeff, I was experimenting with the HOME_NET variable and decided to narrow it down to only the snort box itself. Then the "NETBIOS SMB-DS IPC$ share unicode access." alert started triggering on normal activity. So I would double check if the sources of these alerts are from boxes that should have access to shared resources. Also, I logged tons of NETBIOS alerts when i was trying to setup Symantec AV and connect a client box to the 'protected' workgroup. Hope this helps, Vents __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false positives? Jeff Schmidt (CACL Tech Asst) (Nov 29)
- Re: false positives? Cilin (Nov 29)
- Re: false positives? Brian (Nov 29)