[Snort-users] Snort Alert[1:16482:8]

Kee, Scott Scott.Kee at ...16186...
Wed Mar 27 17:01:37 EDT 2013


Anybody receives 16482:8 alerts from 216.115.96.174 and 216.115.96.176?
I've noticed if our inside user goes to the yahoo.com web site, it frequently generates 16482:8 alert.
I am thinking about put those addresses in the blacklist rule or block them on our FW.

Thanks,



-----Original Message-----
From: Castle, Shane [mailto:scastle at ...14946...] 
Sent: Tuesday, March 26, 2013 11:32 AM
To: Kee, Scott; 'snort-users at lists.sourceforge.net'
Subject: RE: Snort Alert[1:16482:8]

The info I have suggests that this rule has a very low or zero FP rate, indicating that you are mistaken and that there are really some IE 6 and 7 browsers on your net. I'd suggest following up on the IP addresses to see what is going on.

Of course, it's possible that the alerts are being generated from browsers outside your network if you do not have $EXTERNAL_NET and $HOME_NET set up properly.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Kee, Scott [mailto:Scott.Kee at ...16186...] 
Sent: Tuesday, March 26, 2013 08:38
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Alert[1:16482:8]

I recently installed Snort on my Ubuntu machine.    I am receiving a lot of 16482:8 alerts.  It is Microsoft ie 6 and 7 vulnerability alert.

I don't have any users who are on using IE 6 or 7.  What is triggering this alert?  Is this safe to ignore?

 

Thanks

 

Scott







More information about the Snort-users mailing list