Re: False positives

[Joel Esler <jesler () sourcefire com>]

On Aug 22, 2012, at 7:22 AM, Philip Edwards <phil.e () clara net> wrote:
> Hi everyone,
>
> For some reason my web browsing is triggering this alert:
>
> COMMUNITY SIP TCP/IP message flooding directed  to SIP proxy
>
> The rule states that the destination port should be 5060. 
>
> Here's an example from the tcpdump of some traffic that triggered it:
>
> 11:32:42.061722 IP www.iana.org.http > 192.168.1.2.33636: Flags [P.], seq 671861960:671862675, ack 1684832370, win 
> 4637, options [nop,nop,TS val 1306801397 ecr 3575], length 715
>
> 2:02:45.257090 IP ubuntu.datahop.net.http > 192.168.1.2.38676: Flags [.], seq 2045446811:2045448217, ack 4063795559, 
> win 158, options [nop,nop,TS val 428843889 ecr 454408], length 1406

So I am guessing you are running debian or ubuntu or something (one of these distros builds in the COMMUNITY rules).

I'd recommend using pulledpork to download the latest ruleset from Snort.org, and erase all of those old COMMUNITY 
rules.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!