IDS mailing list archives
Re: Snort false positive[Scanned]
From: "Davie Elliott - Eluse" <delliott () eluse co uk>
Date: Tue, 16 May 2006 17:09:37 +0100
Hi Isidro, I would say that they are just false positives. I get the exact alerts on the network I administer simply because I haven't "tuned" the Snort box to the network environment. Remember that ID Systems are not plug & play, they do need "tuning" to the environment they are in. ~Davie Elliott ----- Original Message ----- From: "Isidro Catalán Ramos" <icatalan () amigophone es> To: "focus-ids" <focus-ids () securityfocus com> Sent: Tuesday, May 16, 2006 11:09 AM Subject: Snort false positive[Scanned]
Hi list, We have Snort 2.4.4 and in the logs appear a lot of Port Scan traffic of this type: (portscan) TCP Portsweep (portscan) ICMP Sweep (portscan) UDP Portsweep (portscan) Open Port And the payload of this alerts is like the above: Payload (ASCII): Priority Count: 5.Co nnection Count: 4.IP Count: 14.Scanned I P Range: 192.168.1.9 :65.54.171.28.Port/ Proto Count: 8.Port/ Proto Range: 80:3410 . This alerts come from a lot of our network computers but they seems to be clean of spyware, worms, etc... We need to know if this is a false posivite or we have a problem in our LAN. Tanks! -- Isidro Catalán Ramos Administrador de sistemas ----------------------- Amigophone S.L. [ www.amigophone.es ] ----------------------- Telf: +34 933 661 007 Fax: +34 933 661 012 icatalan () amigophone es ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Snort false positive Isidro Catalán Ramos (May 16)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)
- RE: Snort false positive[Scanned] Omar A. Herrera (May 17)
- Re: Snort false positive Joel Esler (May 17)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)