[Snort-users] Alerts triggering for unused IP space.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 17 13:24:05 EST 2018


So in an effort to detect the false positives, I was going through the
alerts, and seen that for
an alert (sid:42016), looking for incoming UDP packets from External_Net to
Home_Net on port 4800, lot of Home_net IPs wren't in use at the time when
alert was triggered for corresponding Home_Net IPs.

Hence, just like for TCP connections, "established" can be used to make
sure that the Home_Net IP is actively being used on the network (as the Ack
flag will show), was thinking if there's a way to check for UDP rules
whether the Home_Net IP is being used at the time when alert is triggered,
and if not then those alerts can be supressed?

Currently, alert 42016 is triggering for the IPs that aren't in use by any
device on the Home network (according to our DHCP logs),
hence they all can just simply be ignored.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180117/82c5beb5/attachment.html>

More information about the Snort-users mailing list