[Snort-users] False positives
phil.e at ...15568...
Wed Aug 22 07:22:52 EDT 2012
For some reason my web browsing is triggering this alert:
COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
The rule states that the destination port should be 5060.
Here's an example from the tcpdump of some traffic that triggered it:
11:32:42.061722 IP www.iana.org.http > 192.168.1.2.33636: Flags [P.], seq 671861960:671862675, ack 1684832370, win 4637, options [nop,nop,TS val 1306801397 ecr 3575], length 715
2:02:45.257090 IP ubuntu.datahop.net.http > 192.168.1.2.38676: Flags [.], seq 2045446811:2045448217, ack 4063795559, win 158, options [nop,nop,TS val 428843889 ecr 454408], length 1406
Any help would be much appreciated.
More information about the Snort-users