[Snort-users] Questions about sids.

Joel Esler jesler at ...1935...
Mon Apr 8 09:48:57 EDT 2013


On Apr 8, 2013, at 9:37 AM, Joao Daniel Neves <joaodanielnevesss at ...125...> wrote:

> I'm a bit lost. I always have a lot of alerts of sid 1-373 ( http://www.snort.org/search/sid/1-373 ) it is PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software.
> 
> I think that is not a reason to bother since it is just a ping. I know that ping can be used to scan a network. But it does not seems to be the behavior of the alert. Since just one source sent 110 packages to only three IPs. And then never triged other alert.
> 
> Shoud I be worried about it ? 

If it's normal for you to have those events, then no, you shouldn't be worried.

Turn the rule off.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130408/71fa7d25/attachment.html>


More information about the Snort-users mailing list