[Snort-sigs] Holy false Positives

Shaun T. Erickson ste at ...2549...
Wed Jun 16 07:11:07 EDT 2004

Goodson, Jacob wrote:

> What could be causing the L3retriever Ping signature to trigger?  I think it
> is a false positive.

I just set up my first snort sensors yesterday, and am seeing a large 
number of these, myself, from many of my systems. I have a hard time 
believing that they all have a scanner installed and running on them.

I'm also seeing thousands of alerts on "SCAN UPnP service discover 
attempt" (sid 1917). Having only started my sensors yesterday, I don't 
really know, yet, how to determine if this is something bad happening on 
my net, or if turning off some service on my systems would stop it, or 
if I should ignore it, or what. This one sid accounts for the vast 
majority of my alerts, with hundreds every couple minutes.


More information about the Snort-sigs mailing list