[Snort-sigs] Snort rule 613 False Positive

gandalf at ...2973... gandalf at ...2973...
Thu Jan 27 06:08:17 EST 2005

SCAN myscan
False Positives:
Cisco PIX ( talking to a Websense server ( generates this alert.  Since the PIX IP address was not on the $HOME_NET it alerted:

(Sorry, I don't have the PCAP output, just the alert):
#(4 - 6807) [2005-01-25 18:33:38] [arachNIDS/439] [snort/613]  SCAN myscan
IPv4: ->
      hlen=5 TOS=0 dlen=44 ID=1684 flags=0 offset=0 TTL=253 chksum=48381
TCP:  port=10101 -> dport: 15868  flags=******S* seq=265602979
      ack=0 off=6 res=0 win=4096 urp=0 chksum=20739
       #1 - MSS len=2 data=05B4
Payload: none

More information about the Snort-sigs mailing list