Hi Isidro, I would say that they are just false positives. I get the exact alerts on the network I administer simply because I haven't "tuned" the Snort box to the network environment.
Remember that ID Systems are not plug & play, they do need "tuning" to the environment they are in. ~Davie Elliott ----- Original Message ----- From: "Isidro Catalán Ramos" <[EMAIL PROTECTED]> To: "focus-ids" <[email protected]> Sent: Tuesday, May 16, 2006 11:09 AM Subject: Snort false positive[Scanned] > Hi list, > > We have Snort 2.4.4 and in the logs appear a lot of Port Scan traffic of > this type: > > (portscan) TCP Portsweep > (portscan) ICMP Sweep > (portscan) UDP Portsweep > (portscan) Open Port > > And the payload of this alerts is like the above: > > Payload (ASCII): > Priority Count: 5.Co > nnection Count: 4.IP > Count: 14.Scanned I > P Range: 192.168.1.9 > :65.54.171.28.Port/ > Proto Count: 8.Port/ > Proto Range: 80:3410 > . > > This alerts come from a lot of our network computers but they seems to > be clean of spyware, worms, etc... > > We need to know if this is a false posivite or we have a problem in our > LAN. > > Tanks! > -- > > Isidro Catalán Ramos > Administrador de sistemas > ----------------------- > Amigophone S.L. > [ www.amigophone.es ] > ----------------------- > Telf: +34 933 661 007 > Fax: +34 933 661 012 > [EMAIL PROTECTED] > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
