This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.203-3] IPS False postives on SID=1 ??

Hi,

Just rebuilt our OLD firewall with version 9.203...

1. what is it SID 1?

2. I believe this is a false positive; how do I disable the rule??

2014:07:20-22:00:03 fw snort[7146]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="" reason="(spp_ssh) Challenge-Response Overflow exploit" srcip="1.2.3.217" dstip="96.44.129.154" proto="6" srcport="56515" dstport="22" sid="1" class="Attempted Administrator Privilege Gain" priority="1" generator="128" msgid="1"

Anyone seen alerts like this?

The DST IP is not under my control.

Thanks,
Barry

This thread was automatically locked due to age.

Parents

0 BarryG over 11 years ago

Hi Bob,

FWIW, the connection is initiated from an internal address.

In general I prefer to disable one rule than to create exceptions, however I don't think that's possible for SID 1.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 11 years ago

Hi Bob,

FWIW, the connection is initiated from an internal address.

In general I prefer to disable one rule than to create exceptions, however I don't think that's possible for SID 1.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data