Alerts triggering for unused IP space.

[fatema bannatwala via Snort-users <snort-users () lists snort org>]

Hi,

So in an effort to detect the false positives, I was going through the
alerts, and seen that for
an alert (sid:42016), looking for incoming UDP packets from External_Net to
Home_Net on port 4800, lot of Home_net IPs wren't in use at the time when
alert was triggered for corresponding Home_Net IPs.

Hence, just like for TCP connections, "established" can be used to make
sure that the Home_Net IP is actively being used on the network (as the Ack
flag will show), was thinking if there's a way to check for UDP rules
whether the Home_Net IP is being used at the time when alert is triggered,
and if not then those alerts can be supressed?

Currently, alert 42016 is triggering for the IPs that aren't in use by any
device on the Home network (according to our DHCP logs),
hence they all can just simply be ignored.

Thanks,
Fatema.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette