[Snort-sigs] Bleeding-Edge Scan NMAP -sA (2) Rule

James Driskell - jdriskell jdriskell at ...3197...
Wed Feb 15 10:50:08 EST 2006


Hello List,

I'm seeing a ton of hits on the Bleeding-Edge Scan NMAP -sA (2) Rule,
sid 2000540 coming from outside our network.  Almost all are coming from
one source, but the source (a respectable organization (?)) claims that
they are clean and that the hits are the result of our users browsing
their web site.  Has anyone else experienced a significant number of
false positives on this or any of the other Bleeding-Edge NMAP Scan
rules?  Could returns from web sites trigger this rule?  We're not
seeing very many other hits on this rule from any other sites.

Thanks in advance for any information.

Jim Driskell
University of Puget Sound




More information about the Snort-sigs mailing list