[Snort-sigs] Holy false Positives
Shaun T. Erickson
ste at ...2549...
Wed Jun 16 07:11:07 EDT 2004
Goodson, Jacob wrote:
> What could be causing the L3retriever Ping signature to trigger? I think it
> is a false positive.
I just set up my first snort sensors yesterday, and am seeing a large
number of these, myself, from many of my systems. I have a hard time
believing that they all have a scanner installed and running on them.
I'm also seeing thousands of alerts on "SCAN UPnP service discover
attempt" (sid 1917). Having only started my sensors yesterday, I don't
really know, yet, how to determine if this is something bad happening on
my net, or if turning off some service on my systems would stop it, or
if I should ignore it, or what. This one sid accounts for the vast
majority of my alerts, with hundreds every couple minutes.
More information about the Snort-sigs