Home page logo
/

snort logo Snort mailing list archives

Re: Questions about sids.
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 8 Apr 2013 09:48:57 -0400

On Apr 8, 2013, at 9:37 AM, Joao Daniel Neves <joaodanielnevesss () hotmail com> wrote:

I'm a bit lost. I always have a lot of alerts of sid 1-373 ( http://www.snort.org/search/sid/1-373 ) it is 
PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software.

I think that is not a reason to bother since it is just a ping. I know that ping can be used to scan a network. But 
it does not seems to be the behavior of the alert. Since just one source sent 110 packages to only three IPs. And 
then never triged other alert.

Shoud I be worried about it ? 

If it's normal for you to have those events, then no, you shouldn't be worried.

Turn the rule off.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]