[Snort-users] False positives/Oink Code/Oinkmaster vs Pulled Pork?

PR oly562 at ...11827...
Thu Sep 6 12:35:07 EDT 2012


Hello,

I installed acidbase, snort-mysql, today. it's up and running, however I
still get this activity.

 #23-(1-2)
[snort]COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
 2012-09-06
  08:37:33
91.189.91.13:80
192.168.1.15:49977
    TCP

sorry about the formating, cut/paste.


i was advised to mv from 2800 to 2900. So i did yet still i get this
"message flooding alert. it's annoying, how to go about tuning and
turning off this alert.

ALSO, i would like the rules to be updated, and i do have oink code, but
it's listed oddly on snort.org. I don't know which one to use, nor how
to use pulled pork, or oinkmaster so forth. What is the best link for
this info, and what are the simple steps i need to take to get rules
updating with oink code:

(removed the last few digits for security purposes
Oinkcode
      * 6d31c34a34b8e7d8a42751d16b50e3dda634xxxx
      * 6d31c34a34b8e7d8a42751d16b50e3dda634xxxx
      * 6d31c34a34b8e7d8a42751d16b50e3dda634xxxx
      * 3b0c3089435a4ca349130adeae083ef3c1a5xxxx

Which Code works for sure? the first or last? I do not remember which is
newest. the first 3 are the same by the way.


here is my version of snort.

snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4


i look forward to your replies. thanks!

Oly aka pete





More information about the Snort-users mailing list