[Snort-sigs] False positive on 116:58
jhart at ...288...
Thu Oct 19 13:53:08 EDT 2006
On Sun, Oct 15, 2006 at 08:15:43PM +0100, Servelocity (Systems Team) wrote:
> FALSE POSITIVE
> snort-sigs at lists.sourceforge.net
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=116:58>]
> (snort_decoder): Experimental Tcp Options found 2006-10-15 17:12:56
> If we block src ip on this it kills the bgp sessions to our providers
> (port 179) for example the one on 220.127.116.11/30 (Tiscali)
> Where is this sig in /etc/snort/rules ?? or in the source ??
This really isn't a false positive per-se, but rather a rule that you
need to tune according to your setup (with thresholds, etc). A false
positive is an event that isn't actually what the alerting
sig/preprocessor was designed to detect. In this case, the traffic you
are seeing is exactly what the sig was designed to detect.
More information about the Snort-sigs