[Snort-users] False positives

Joel Esler jesler at ...1935...
Wed Aug 22 11:01:29 EDT 2012


On Aug 22, 2012, at 7:22 AM, Philip Edwards <phil.e at ...15568...> wrote:
> Hi everyone,
> 
> For some reason my web browsing is triggering this alert:
> 
> COMMUNITY SIP TCP/IP message flooding directed  to SIP proxy
> 
> The rule states that the destination port should be 5060. 
> 
> Here's an example from the tcpdump of some traffic that triggered it:
> 
> 11:32:42.061722 IP www.iana.org.http > 192.168.1.2.33636: Flags [P.], seq 671861960:671862675, ack 1684832370, win 4637, options [nop,nop,TS val 1306801397 ecr 3575], length 715
> 
> 2:02:45.257090 IP ubuntu.datahop.net.http > 192.168.1.2.38676: Flags [.], seq 2045446811:2045448217, ack 4063795559, win 158, options [nop,nop,TS val 428843889 ecr 454408], length 1406

So I am guessing you are running debian or ubuntu or something (one of these distros builds in the COMMUNITY rules).

I'd recommend using pulledpork to download the latest ruleset from Snort.org, and erase all of those old COMMUNITY rules.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-users mailing list