[Snort-sigs] Bleeding-Edge Scan NMAP -sA (2) Rule

Matt Jonkman mjonkman at ...2436...
Wed Feb 15 13:12:02 EST 2006


I'd take a look at how you're capturing data. I've seen falses when a
feed was either saturating the media, or was only showing traffic one
direction.

If possible I'd capture a chunk of traffic into a dumpfile, open that in
ethereal and see if you have full streams or fragments.

Matt

James Driskell - jdriskell wrote:
> Hello List,
> 
> I'm seeing a ton of hits on the Bleeding-Edge Scan NMAP -sA (2) Rule,
> sid 2000540 coming from outside our network.  Almost all are coming from
> one source, but the source (a respectable organization (?)) claims that
> they are clean and that the hits are the result of our users browsing
> their web site.  Has anyone else experienced a significant number of
> false positives on this or any of the other Bleeding-Edge NMAP Scan
> rules?  Could returns from web sites trigger this rule?  We're not
> seeing very many other hits on this rule from any other sites.
> 
> Thanks in advance for any information.
> 
> Jim Driskell
> University of Puget Sound
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------




:wq




More information about the Snort-sigs mailing list