IDS mailing list archives
Re: Snort false positive[Scanned]
From: "Davie Elliott - Eluse" <delliott () eluse co uk>
Date: Tue, 16 May 2006 17:09:37 +0100
Hi Isidro, I would say that they are just false positives. I get the exact alerts on the network I administer simply because I haven't "tuned" the Snort box to the network environment. Remember that ID Systems are not plug & play, they do need "tuning" to the environment they are in. ~Davie Elliott ----- Original Message ----- From: "Isidro Catalán Ramos" <icatalan () amigophone es> To: "focus-ids" <focus-ids () securityfocus com> Sent: Tuesday, May 16, 2006 11:09 AM Subject: Snort false positive[Scanned]
Hi list,
We have Snort 2.4.4 and in the logs appear a lot of Port Scan traffic of
this type:
(portscan) TCP Portsweep
(portscan) ICMP Sweep
(portscan) UDP Portsweep
(portscan) Open Port
And the payload of this alerts is like the above:
Payload (ASCII):
Priority Count: 5.Co
nnection Count: 4.IP
Count: 14.Scanned I
P Range: 192.168.1.9
:65.54.171.28.Port/
Proto Count: 8.Port/
Proto Range: 80:3410
.
This alerts come from a lot of our network computers but they seems to
be clean of spyware, worms, etc...
We need to know if this is a false posivite or we have a problem in our
LAN.
Tanks!
--
Isidro Catalán Ramos
Administrador de sistemas
-----------------------
Amigophone S.L.
[ www.amigophone.es ]
-----------------------
Telf: +34 933 661 007
Fax: +34 933 661 012
icatalan () amigophone es
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Snort false positive Isidro Catalán Ramos (May 16)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)
- RE: Snort false positive[Scanned] Omar A. Herrera (May 17)
- Re: Snort false positive Joel Esler (May 17)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)