[Snort-users] False positives

Leon Ward leon.ward at ...1935...
Fri Aug 4 02:58:20 EDT 2006


It is not a rule based alert, but a preprocessor.

Take a look at the Snort manual

http://snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node11.html

- Leon

On 3 Aug 2006, at 12:21, Jesús Gálvez wrote:

> Hi. I have snort running as NIDS in a LAN. I use ACID to see the  
> alerts. I find a lot of falses positives, coverall this:
>
>
> (portscan) TCP Portsweep
>
> and show local source IP and destiny IP that aren´t scanning, some  
> even doesn´t exist. I don´t know what rule can be trigger the  
> alarm. Anybody can help me?
>
> Thanks.
>
>
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por minuto.
> http://es.voice.yahoo.com
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys -- and earn  
> cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV________________________________ 
> _______________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060804/ebed7e90/attachment.html>


More information about the Snort-users mailing list