Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 0 subscribers
  • Views 1321 views
  • Users 0 members are here
Options
Suggested

[7.865][QUESTION][ANSWERED] ipv6 using utils gives false positive

utm_kid
Hello Fiends !

today 1st time i got ips alert 

trying many ipv6 utils to check so really dont know when this message came and notice very late 

i have added 3653 rule in pf for UDP AND TCP  gor gogo (ipv6 client)

2010:02:02-17:25:15 acenn snort[6066]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MISC UPnP Location overflow attempt" group="450" srcip="81.171.72.13" dstip="192.168.2.150" proto="17" srcport="3653" dstport="1797" sid="1388" class="Misc Attack" priority="2" generator="1" msgid="0" 

or it was really .....
Parents Reply Children
  • 0 in reply to utm_kid
    utk_kit,

    yes I checked the pcap file, my ips doesn't detect an alert,
    I check this via:

    1. copy you pcap into the snort chroot
    "cp pcapfile /var/chroot-snort/"

    2. run snort against this pcap
    "chroot /var/chroot-snort /sbin/snort_inline -A cmg -c /etc/snort/snort.conf --treat-drop-as-alert --process-all-events --pcap-single YOURPCAPFILE"

    I got a the end of the report:  "ALERTS: 0"
    So there is no attack in your pcap.

    I think we have to reproduce it to say more, I'll do that this week. 

    Best Sven
  • 0 in reply to SvenW
    hi Sven,

    I face this problem only 1-2 time but after that i dont  able to see ips alert but there was some traffic from that ip 

    if u think that is ok u can close the thread 

    thanks
Cookie Information Banner