[Snort-sigs] Holy false Positives
mwatchinski at ...435...
Wed Jun 16 08:11:13 EDT 2004
Make sure you set your $HOME_NET and $EXTERNAL_NET variables correctly. Setting
these to the correct subnets will most likely eliminate your SCAN UPnP service
discover attempt alerts.
$HOME_NET = all the networks your protect
$EXTERNAL_NET = !$HOME_NET
Shaun T. Erickson wrote:
> Goodson, Jacob wrote:
>> What could be causing the L3retriever Ping signature to trigger? I
>> think it
>> is a false positive.
> I just set up my first snort sensors yesterday, and am seeing a large
> number of these, myself, from many of my systems. I have a hard time
> believing that they all have a scanner installed and running on them.
> I'm also seeing thousands of alerts on "SCAN UPnP service discover
> attempt" (sid 1917). Having only started my sensors yesterday, I don't
> really know, yet, how to determine if this is something bad happening on
> my net, or if turning off some service on my systems would stop it, or
> if I should ignore it, or what. This one sid accounts for the vast
> majority of my alerts, with hundreds every couple minutes.
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs