[Snort-sigs] Holy false Positives

Matthew Watchinski mwatchinski at ...435...
Wed Jun 16 08:11:13 EDT 2004


Make sure you set your $HOME_NET and $EXTERNAL_NET variables correctly. Setting 
these to the correct subnets will most likely eliminate your SCAN UPnP service 
discover attempt alerts.

$HOME_NET = all the networks your protect
$EXTERNAL_NET = !$HOME_NET

Cheers,
-matt


Shaun T. Erickson wrote:
> Goodson, Jacob wrote:
> 
>> What could be causing the L3retriever Ping signature to trigger?  I 
>> think it
>> is a false positive.
>>
> 
> I just set up my first snort sensors yesterday, and am seeing a large 
> number of these, myself, from many of my systems. I have a hard time 
> believing that they all have a scanner installed and running on them.
> 
> I'm also seeing thousands of alerts on "SCAN UPnP service discover 
> attempt" (sid 1917). Having only started my sensors yesterday, I don't 
> really know, yet, how to determine if this is something bad happening on 
> my net, or if turning off some service on my systems would stop it, or 
> if I should ignore it, or what. This one sid accounts for the vast 
> majority of my alerts, with hundreds every couple minutes.
> 
>     -ste
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list