[Snort-users] False positives

Philip Edwards phil.e at ...15568...
Wed Aug 22 07:22:52 EDT 2012

Hi everyone,

For some reason my web browsing is triggering this alert:

COMMUNITY SIP TCP/IP message flooding directed  to SIP proxy

The rule states that the destination port should be 5060. 

Here's an example from the tcpdump of some traffic that triggered it:

11:32:42.061722 IP www.iana.org.http > Flags [P.], seq 671861960:671862675, ack 1684832370, win 4637, options [nop,nop,TS val 1306801397 ecr 3575], length 715

2:02:45.257090 IP ubuntu.datahop.net.http > Flags [.], seq 2045446811:2045448217, ack 4063795559, win 158, options [nop,nop,TS val 428843889 ecr 454408], length 1406

Any help would be much appreciated.



More information about the Snort-users mailing list