[Snort-users] eliminating false positives
jbgreer at ...1052...
Fri Jan 26 08:24:00 EST 2001
Windows machines always send a broadcast to 188.8.131.52 every time they boot.
That is normal behavior. What is not normal and could be some sort of
attack is if some machine responds to that message and send back the same
packet to it's direct address.
You are probably using the any any ruleset. To eliminate the false positive
change the destination for the rule (the l0phtattack rule or IDS174) to
!184.108.40.206 or $HOME_NET (because 220.127.116.11 is outside your home range). The
rule appears twice as both l0phtattack and IDS174 in the latest rule set I
grabbed from snort.org.
alert icmp any any -> !18.104.22.168 any
Any packet of this type being sent directly to one of your boxes could be
someone trying to convince your Windows box to add some illegitimate default
From: Ragnar Beer [mailto:rbeer at ...1214...]
Sent: Friday, January 26, 2001 5:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] eliminating false positives
I'm new to snort and got everything running well. But although I set
HOME_NET to one address/32 all the windows machines in our whole net
show up with 3 ICMPs to 22.214.171.124 every now and then ("ICMP unknown
type"). What do I need to do to get rid of these alerts?
A second question: What's the EXTERNAL_NET var in snortfull.conf good
for? Isn't everything external that's not HOME_NET?
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users