[Snort-users] eliminating false positives

John Greer jbgreer at ...1052...
Fri Jan 26 08:24:00 EST 2001


Windows machines always send a broadcast to 224.0.0.2 every time they boot.
That is normal behavior.  What is not normal and could be some sort of
attack is if some machine responds to that message and send back the same
packet to it's direct address.  

You are probably using the any any ruleset.  To eliminate the false positive
change the destination for the rule (the l0phtattack rule or IDS174) to
!224.0.0.2 or $HOME_NET (because 224.0.0.2 is outside your home range).  The
rule appears twice as both l0phtattack and IDS174 in the latest rule set I
grabbed from snort.org.

alert icmp any any -> !224.0.0.2 any
(msg:"MISC-IRDP-Router-Selection(l0phtattack
)";itype:10;)

Any packet of this type being sent directly to one of your boxes could be
someone trying to convince your Windows box to add some illegitimate default
routes. 


John
-----Original Message-----
From: Ragnar Beer [mailto:rbeer at ...1214...]
Sent: Friday, January 26, 2001 5:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] eliminating false positives


Howdy!

I'm new to snort and got everything running well. But although I set 
HOME_NET to one address/32 all the windows machines in our whole net 
show up with 3 ICMPs to 224.0.0.2 every now and then ("ICMP unknown 
type"). What do I need to do to get rid of these alerts?

A second question: What's the EXTERNAL_NET var in snortfull.conf good 
for? Isn't everything external that's not HOME_NET?

Ragnar

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list