[Snort-users] False positives

Philip Edwards phil.e at ...15568...
Wed Aug 22 07:22:52 EDT 2012



Hi everyone,

For some reason my web browsing is triggering this alert:

COMMUNITY SIP TCP/IP message flooding directed  to SIP proxy

The rule states that the destination port should be 5060. 

Here's an example from the tcpdump of some traffic that triggered it:

11:32:42.061722 IP www.iana.org.http > 192.168.1.2.33636: Flags [P.], seq 671861960:671862675, ack 1684832370, win 4637, options [nop,nop,TS val 1306801397 ecr 3575], length 715

2:02:45.257090 IP ubuntu.datahop.net.http > 192.168.1.2.38676: Flags [.], seq 2045446811:2045448217, ack 4063795559, win 158, options [nop,nop,TS val 428843889 ecr 454408], length 1406


Any help would be much appreciated.

Thanks

Phil.



More information about the Snort-users mailing list