[Snort-sigs] false positive report

Chris Bennett chris at ...2392...
Thu Apr 15 06:38:11 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:   ICMP PING NMAP

--
Sid:  469

--
Summary: I was nearly booted from my ISP because of this false positive
caused by the program "LISA", which is a standard daemon included with
Mandrake 9.2.  I have no idea if that Sid above is correct, I got it from a
web search.

--
Impact: As I said, I was nearly booted, because LISA generates ICMP pings in
a scanning fashion to build a Network Neighborhood view.

--
Detailed Information:  See here: http://lisa-home.sourceforge.net/

--
Affected Systems: Linux Mandrake (at least 9.2 and beyond)

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: I'm reporting a freakin false positive right now.

--
False Negatives:

--
Corrective Action:

--
Contributors: Chris Bennett (chris at ...2392...)

-- 
Additional References:





More information about the Snort-sigs mailing list