[Snort-users] false positives?

Cilin cilin5 at ...131...
Mon Nov 29 09:07:01 EST 2004


Jeff,

I was experimenting with the HOME_NET variable and
decided to narrow it down to only the snort box
itself. Then the 

"NETBIOS SMB-DS IPC$ share unicode access." 

alert started triggering on normal activity. So I
would double check if the sources of these alerts are
from boxes that should have access to shared
resources.

Also, I logged tons of NETBIOS alerts when i was
trying to setup Symantec AV and connect a client box
to the 'protected' workgroup.

Hope this helps,

Vents




	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail




More information about the Snort-users mailing list