<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Looks like you are using the old COMMUNITY rules.  I suggest you purge these from your system and use the VRT Ruleset at <a href="http://www.snort.org/snort-rules">http://www.snort.org/snort-rules</a><div><br></div><div>The Registered User release is free.</div><div><br></div><div><div><br></div><div><div>On Aug 2, 2012, at 7:56 PM, PR <<a href="mailto:oly562@...2420...">oly562@...3418......</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">


  <meta http-equiv="Content-Type" content="text/html; CHARSET=UTF-8">
  <meta name="GENERATOR" content="GtkHTML/3.28.3">

<div>
Greetings,<br>
<br>
I am running acidbase on ubuntu server. <br>
<br>
i found this entry:<br>
<br>
COMMUNITY SIP TCP/IP message flooding directed to SIP proxy<br>
<br>
 ID   <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=sig_a"><</a> Signature <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=sig_d">></a>   <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=time_a"><</a> Timestamp <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=time_d">></a>   <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=sip_a"><</a> Source Address <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=sip_d">></a>   <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=dip_a"><</a> Dest. Address <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=dip_d">></a>   <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=proto_a"><</a> Layer 4 Proto <a href="http://192.168.1.14/acidbase/base_qry_main.php?caller=&num_result_rows=1&current_view=0&sort_order=proto_d">></a>  <a href="http://192.168.1.14/acidbase/base_qry_alert.php?submit=%230-%287-1%29&sort_order=time_d">#0-(7-1)</a> <font size="2">[<a href="http://www.snortid.com/snortid.asp?QueryId=1:100000160">snort</a>]</font> COMMUNITY SIP TCP/IP message flooding directed to SIP proxy 2012-08-02 06:42:12 <a href="http://192.168.1.14/acidbase/base_stat_ipaddr.php?ip=192.168.1.14&netmask=32">192.168.1.14</a><font size="2">:36642</font> <a href="http://192.168.1.14/acidbase/base_stat_ipaddr.php?ip=91.189.92.184&netmask32">91.189.92.184</a><font size="2">:80</font> TCP<br>
<br>
I am also a bit perplexed why snort and a sig that is not listed on snort ID site:  <a href="http://www.snortid.com/snortid.asp?QueryId=1:100000160">http://www.snortid.com/snortid.asp?QueryId=1:100000160</a><br>
does not yeild any results.<br>
<br>
Could you comment on how a clean installed snort acidbase be sending out from a source: 192.168.1.14 to a destination: <a href="http://192.168.1.14/acidbase/base_stat_ipaddr.php?ip=91.189.92.184&netmask32">91.189.92.184</a><font size="2">:80</font><br>
<br>
Notable: I have no automatic updates turned on on snort or ubuntu<br>
<br>
Anyone care to comment? thanks guys/gals.<br>
<br>
l8 oly anderson<br>
snort user for like years now and I still dont know shyt.. lol.<br>
<br></div></blockquote></div><snip></div><div><br></div><div>BTW -- For those of you that are playing -- that's two drinks:</div><div><br></div><div><a href="http://blog.joelesler.net/p/snort-drinking-game.html">http://blog.joelesler.net/p/snort-drinking-game.html</a></div><div><br></div><div><div>--</div><div>Joel Esler</div><div>Senior Research Engineer, VRT</div><div>OpenSource Community Manager</div><div>Sourcefire</div></div><div><br></div><div><br></div></body></html>