[Snort-sigs] Snort rule 613 False Positive

gandalf at ...2973... gandalf at ...2973...
Thu Jan 27 06:08:17 EST 2005


Rule:  
SCAN myscan
--
Sid:
1:613
--
False Positives:
Cisco PIX (192.168.200.2) talking to a Websense server (192.168.1.50) generates this alert.  Since the PIX IP address was not on the $HOME_NET it alerted:

(Sorry, I don't have the PCAP output, just the alert):
#(4 - 6807) [2005-01-25 18:33:38] [arachNIDS/439] [snort/613]  SCAN myscan
IPv4: 192.168.200.2 -> 192.168.1.50
      hlen=5 TOS=0 dlen=44 ID=1684 flags=0 offset=0 TTL=253 chksum=48381
TCP:  port=10101 -> dport: 15868  flags=******S* seq=265602979
      ack=0 off=6 res=0 win=4096 urp=0 chksum=20739
      Options:
       #1 - MSS len=2 data=05B4
Payload: none





More information about the Snort-sigs mailing list