[Snort-users] coughing up water on FP and notifications
saintcrusty at ...11827...
Fri Apr 1 07:59:25 EDT 2011
Now i'm running this trial-snort-sensor against a medium volume network (
about 100Mbit) i notice what must be false positives regularly.
Though it is reported none are known on the sid page(s). I'm quite
confident this is mostly and most likely a PEBKAC-situation.
For dcerpc i've tuned a bit and now it makes more sense. However, as this
network is likely to have suffered a trojan infection i'm anxious to filter
out any configuration related mistakes responsible for false positives /
false negatives. Reading the manual does help so far but as i said i'm
For http://www.snort.org/search/sid/3-15114 is see repeated alerts but this
confuses me. From what i've read this should mean there is an actual exploit
being executed. From what i think to understand this means there is a
vulnerable service accessible OR there is actually code being run against a
vulnerable service. Based on the specific rule i'm assuming this is most
likely and indeed bad news.
I'm short on time so any pointer to a good read would be most welcome.
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users