[Saltamontes]

Hello to everybody

After been experimenting with Sgui/Snort i have all parts working, and a sensor installed in the site capturing data from the whole network, but i have seen, from days ago to today, many false positives, some like portscans, backdoors, "double decode attack", and alerts like "WEB-MISC ...","WEB-PHP ... access", "portscan: TCP Portsweep" anh others of the simmilar kind.

"WEB-CGI ... access","WEB-PHP ... access","WEB-FRONTPAGE ... access", "WEB-IIS view source..." are file upload from local machines to the local web site.

"http_inspect: BARE BYTE UNICODE ENCODING" and "http_inspect: OVERSIZE REQUEST-URY DIRECTORY" are searches or quueries over the local web site.

"portscan: OPEN PORT" don't shows nothing on the payload section and "portscan: TCP PortSweep" shows HTTP ports, OpenPorts and PortSweep scans are done to a common IP, i think that is a Web server (Apache or IIS)...

then how can i add some rules or restrictions in order to avoid generate or show that alerts???

i supose that chould add some in the sfportscan section ignore_scanners{} or ignore_scanned {} from snort.conf, but i don't know if only adding the IP from the web server will be enough. The Snort Manual PDF don't have enough information.

...and there are other alerts like "http_inspect: DOUBLE DECODING ATTACK" from local IPs to other IPs (i don't know if are part of local network ranges)

it's possible to reduce that kind of false positives but keeping the true alerts???

i will aprecciate any idea or guide.

Thanks to everybody.

See you