[Snort-users] False positive

Joel Esler jesler at ...1935...
Wed May 16 09:40:43 EDT 2012


Is there any way you can provide some pcaps to illustrate your FP?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On May 16, 2012, at 7:08 AM, Philip Edwards wrote:

> 
> 
> Hi,
> 
> I have recently installed snort on ubuntu and am just attempting to tune out the noise.
> For some reason the BAD-TRAFFIC (same source and destination) rule is firing on DHCP broadcasts.
> 
> The source is 0.0.0.0 port 67 and the destination is 255.255.255.255 port 68.
> 
> Since the source and destination are different can anyone clue me in?
> 
> Thanks
> 
> Phil Edwards=




More information about the Snort-users mailing list