[Snort-users] False PING NMAP TCP

Laurie Zirkle lat at ...214...
Fri Aug 4 11:57:54 EDT 2000


I'm starting to see more false alerts from the PINP NMAP TCP alert
from the rules at www.snort.org.  In particular, load-balancing is
being flagged as PING NMAP TCP.  Any chance of getting a better rule
for this?  Here's one example:

Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP: 205.128.11.157:80 -> z.y.w.98:53
Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP: 205.128.11.157:53 -> z.y.w.98:53
------
[**] IDS028 - PING NMAP TCP [**]
08/04-08:41:59.180096 205.128.11.157:80 -> z.y.w.98:53
TCP TTL:44 TOS:0x0 ID:37618
******A* Seq: 0x335   Ack: 0x0   Win: 0x578
00 00 00 00 00 00                                ......

[**] IDS028 - PING NMAP TCP [**]
08/04-08:41:59.180237 205.128.11.157:53 -> z.y.w.98:53
TCP TTL:44 TOS:0x0 ID:37619
******A* Seq: 0x336   Ack: 0x0   Win: 0x578
00 00 00 00 00 00                                ......




-- 
Laurie




More information about the Snort-users mailing list