IDS mailing list archives
Re: Snort false positive
From: "Joel Esler" <eslerj () gmail com>
Date: Tue, 16 May 2006 13:37:21 -0400
Sounds like you need to tune your sfportscan preprocessor. http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node11.html#SECTION00317000000000000000 Refer to above link for help. Also be sure and subscribe to the Snort-Users list at: http://www.snort.org/community/lists.html Joel On 5/16/06, Isidro Catalán Ramos <icatalan () amigophone es> wrote:
Hi list,
We have Snort 2.4.4 and in the logs appear a lot of Port Scan traffic of
this type:
(portscan) TCP Portsweep
(portscan) ICMP Sweep
(portscan) UDP Portsweep
(portscan) Open Port
And the payload of this alerts is like the above:
Payload (ASCII):
Priority Count: 5.Co
nnection Count: 4.IP
Count: 14.Scanned I
P Range: 192.168.1.9
:65.54.171.28.Port/
Proto Count: 8.Port/
Proto Range: 80:3410
.
This alerts come from a lot of our network computers but they seems to
be clean of spyware, worms, etc...
We need to know if this is a false posivite or we have a problem in our
LAN.
Tanks!
--
Isidro Catalán Ramos
Administrador de sistemas
-----------------------
Amigophone S.L.
[ www.amigophone.es ]
-----------------------
Telf: +34 933 661 007
Fax: +34 933 661 012
icatalan () amigophone es
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
-- --Joel ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Snort false positive Isidro Catalán Ramos (May 16)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)
- RE: Snort false positive[Scanned] Omar A. Herrera (May 17)
- Re: Snort false positive Joel Esler (May 17)
- Re: Snort false positive[Scanned] Davie Elliott - Eluse (May 16)