snort false positives

baronobeefdip · 02-21-2013, 08:52 AM

I have some snort rules setup in the default settings (except for the community sip and virus ones which didn't work and instead started generating errors and false positives) I now want to disable a rule that is generating these reports

Code:

MISC UPnP malformed advertisement

There's too many of these alerts and I am now under the impression that these are false positives and I want to know which rule I need to disable in order to stop getting these reports
I am also getting these alerts

Code:

COMMUNITY WEB-MISC Proxy Server Access

Which rules do I need to disable to stop receiving these alerts?

unSpawn · 02-21-2013, 12:18 PM

See /etc/snort/threshold.conf or configure Oinkmaster to handle it?

baronobeefdip · 02-21-2013, 09:25 PM

I just want to know which rule files are generating these alerts

unSpawn · 02-22-2013, 05:47 AM

Ah, OK easiest is to grep the sid-msg.map for it or recursively grep the directory where your Snort rules reside. The SID of the first rule is 1384 IIGC.

baronobeefdip · 02-23-2013, 09:53 AM

How do I recursively search the directory that the rule files are located, I know how to grep a single file for text bit I have never done more than one at a time, and whenever it finds a match hire will I know which file it was found in

unSpawn · 02-23-2013, 11:46 AM

Both questions are not related to Snort but to 'grep' use and 'man grep' would have shown "-r" and "-H" usage:

Code:

grep -Hr "UPnP malformed advertisement" /etc/snort