[Snort-sigs] False positive on 116:58

Servelocity (Systems Team) systemsteam at ...3253...
Sun Oct 15 15:15:43 EDT 2006


FALSE POSITIVE

snort-sigs at lists.sourceforge.net

#0-(2-44)
<http://85.8.128.224/base/base_qry_alert.php?submit=%230-%282-44%29&sort_order=>
	[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=116:58>]
(snort_decoder): Experimental Tcp Options found 	2006-10-15 17:12:56
213.200.77.145
<http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.145&netmask=32>:4985
	213.200.77.146
<http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.146&netmask32>:179
	TCP


http://www.snort.org/pub-bin/sigs.cgi?sid=116:58

If we block src ip on this it kills the bgp sessions to our providers
(port 179) for example the one on 213.200.77.145/30 (Tiscali)

Where is this sig in /etc/snort/rules ?? or in the source ??

Hope this helps.

Thanks,

- Chris






More information about the Snort-sigs mailing list