Snort mailing list archives
Alerts triggering for unused IP space.
From: fatema bannatwala via Snort-users <snort-users () lists snort org>
Date: Wed, 17 Jan 2018 13:24:05 -0500
Hi, So in an effort to detect the false positives, I was going through the alerts, and seen that for an alert (sid:42016), looking for incoming UDP packets from External_Net to Home_Net on port 4800, lot of Home_net IPs wren't in use at the time when alert was triggered for corresponding Home_Net IPs. Hence, just like for TCP connections, "established" can be used to make sure that the Home_Net IP is actively being used on the network (as the Ack flag will show), was thinking if there's a way to check for UDP rules whether the Home_Net IP is being used at the time when alert is triggered, and if not then those alerts can be supressed? Currently, alert 42016 is triggering for the IPs that aren't in use by any device on the Home network (according to our DHCP logs), hence they all can just simply be ignored. Thanks, Fatema.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Alerts triggering for unused IP space. fatema bannatwala via Snort-users (Jan 17)