[Snort-users] eliminating false positives

John Greer jbgreer at ...1052...
Fri Jan 26 08:24:00 EST 2001

Windows machines always send a broadcast to every time they boot.
That is normal behavior.  What is not normal and could be some sort of
attack is if some machine responds to that message and send back the same
packet to it's direct address.  

You are probably using the any any ruleset.  To eliminate the false positive
change the destination for the rule (the l0phtattack rule or IDS174) to
! or $HOME_NET (because is outside your home range).  The
rule appears twice as both l0phtattack and IDS174 in the latest rule set I
grabbed from snort.org.

alert icmp any any -> ! any

Any packet of this type being sent directly to one of your boxes could be
someone trying to convince your Windows box to add some illegitimate default

-----Original Message-----
From: Ragnar Beer [mailto:rbeer at ...1214...]
Sent: Friday, January 26, 2001 5:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] eliminating false positives


I'm new to snort and got everything running well. But although I set 
HOME_NET to one address/32 all the windows machines in our whole net 
show up with 3 ICMPs to every now and then ("ICMP unknown 
type"). What do I need to do to get rid of these alerts?

A second question: What's the EXTERNAL_NET var in snortfull.conf good 
for? Isn't everything external that's not HOME_NET?


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list