Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Snort-sigs] Holy false Positives

From: "Lance Boon" <lboon () firststatebanksw com>
Date: Wed, 16 Jun 2004 09:44:56 -0500
I see a ton of these SCAN UPnP attempts on XP systems that have Internet
Gateway Discovery and Control Client installed, Universal Plug and Play
or they have MSN Messenger installed or all of the above. I just
uninstall MSN Messenger on systems that have it installed or uninstall
anything that has anything to do with UPnP. As far as the MSN messenger
triggering this alert check the archives as it's discussed there too. 

 
-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Shaun T.
Erickson
Sent: Wednesday, June 16, 2004 9:11 AM
To: Goodson, Jacob
Cc: 'snort-sigs () lists sourceforge net'
Subject: Re: [Snort-sigs] Holy false Positives

Goodson, Jacob wrote:


What could be causing the L3retriever Ping signature to trigger?  I

think it

is a false positive.



I just set up my first snort sensors yesterday, and am seeing a large 
number of these, myself, from many of my systems. I have a hard time 
believing that they all have a scanner installed and running on them.

I'm also seeing thousands of alerts on "SCAN UPnP service discover 
attempt" (sid 1917). Having only started my sensors yesterday, I don't 
really know, yet, how to determine if this is something bad happening on

my net, or if turning off some service on my systems would stop it, or 
if I should ignore it, or what. This one sid accounts for the vast 
majority of my alerts, with hundreds every couple minutes.

        -ste


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: