[Snort-users] coughing up water on FP and notifications

Crusty Saint saintcrusty at ...11827...
Fri Apr 1 07:59:25 EDT 2011


Now i'm running this trial-snort-sensor against a medium volume network (
about 100Mbit) i notice what must be false positives regularly.

Though it is reported none are known on the sid page(s).  I'm quite
confident this is mostly and most likely a PEBKAC-situation.

For dcerpc i've tuned a bit and now it makes more sense. However, as this
network is likely to have suffered a trojan infection i'm anxious to filter
out any configuration related mistakes responsible for false positives /
false negatives. Reading the manual does help so far but as i said i'm

For http://www.snort.org/search/sid/3-15114 is see repeated alerts but this
confuses me. From what i've read this should mean there is an actual exploit
being executed. From what i think to understand this means there is a
vulnerable service accessible OR there is actually code being run against a
vulnerable service. Based on the specific rule i'm assuming this is most
likely and indeed bad news.

I'm short on time so any pointer to a good read would be most welcome.

Best Regards,


- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110401/5a0ea8d2/attachment.html>

More information about the Snort-users mailing list