[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Snort rule 613 False Positive
From: gandalf () digital ! net
Date: 2005-01-26 13:48:58
Message-ID: 20470729.1106747338333.JavaMail.root () wamui07 ! slb ! atl ! earthlink ! net
[Download RAW message or body]
Rule:
SCAN myscan
--
Sid:
1:613
--
False Positives:
Cisco PIX (192.168.200.2) talking to a Websense server (192.168.1.50) generates this \
alert. Since the PIX IP address was not on the $HOME_NET it alerted:
(Sorry, I don't have the PCAP output, just the alert):
#(4 - 6807) [2005-01-25 18:33:38] [arachNIDS/439] [snort/613] SCAN myscan
IPv4: 192.168.200.2 -> 192.168.1.50
hlen=5 TOS=0 dlen=44 ID=1684 flags=0 offset=0 TTL=253 chksum=48381
TCP: port=10101 -> dport: 15868 flags=******S* seq=265602979
ack=0 off=6 res=0 win=4096 urp=0 chksum=20739
Options:
#1 - MSS len=2 data=05B4
Payload: none
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic