Snort mailing list archives
Re: Questions about sids.
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 8 Apr 2013 09:48:57 -0400
On Apr 8, 2013, at 9:37 AM, Joao Daniel Neves <joaodanielnevesss () hotmail com> wrote:
I'm a bit lost. I always have a lot of alerts of sid 1-373 ( http://www.snort.org/search/sid/1-373 ) it is PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software. I think that is not a reason to bother since it is just a ping. I know that ping can be used to scan a network. But it does not seems to be the behavior of the alert. Since just one source sent 110 packages to only three IPs. And then never triged other alert. Shoud I be worried about it ?
If it's normal for you to have those events, then no, you shouldn't be worried. Turn the rule off. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Questions about sids. Joao Daniel Neves (Apr 08)
- Re: Questions about sids. Joel Esler (Apr 08)