[Snort-sigs] Bleeding-Edge Scan NMAP -sA (2) Rule
James Driskell - jdriskell
jdriskell at ...3197...
Wed Feb 15 10:50:08 EST 2006
I'm seeing a ton of hits on the Bleeding-Edge Scan NMAP -sA (2) Rule,
sid 2000540 coming from outside our network. Almost all are coming from
one source, but the source (a respectable organization (?)) claims that
they are clean and that the hits are the result of our users browsing
their web site. Has anyone else experienced a significant number of
false positives on this or any of the other Bleeding-Edge NMAP Scan
rules? Could returns from web sites trigger this rule? We're not
seeing very many other hits on this rule from any other sites.
Thanks in advance for any information.
University of Puget Sound
More information about the Snort-sigs