[Emerging-Sigs] FP 2406011

Michael Scheidell michael.scheidell at secnap.com
Wed Oct 20 15:02:09 EDT 2010


On 10/20/10 2:54 PM, Lay, James wrote:
>
> Looking at the packet, investigating the port, and packet capturing 
> additional, unrelated packets (netbios-ns from 192.168.0.66 looking 
> for HPE8854A), lead me to believe that this is most likely a 
> default/misconfigured printer driver on a Windows machine looking for 
> an HP printer.  Though the rule does match the 123 network, I do not 
> believe this was actually RBN traffic, so I posted it here.  Hope that 
> helps.
>
>
The rule is designed to match traffic to a certain set of ip addresses.
your proposed fix?  remove that ip address?  fire the guy at your 
location who misconfigured the printer driver?

No, its not a FP.  the packet matched traffic to 123.123.123.123 and it 
has yet to be shows that the ip address in question should be removed 
from 2406011.

Again, your local mis-configurations should not force a change or edit 
in a stock rule.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/63c963a1/attachment.html


More information about the Emerging-sigs mailing list