What does this sig look for? It appears to be very noisy and from events I have seen all the traffic is netbios traffic on port 139 or 445. All between internal host.
This signature tends to fire on only one echo reply being sent have seen this in many cases multiple request come in with one reply and this fires. Is this a known issue or possible bug with signature.
Had these files fill up the /var/ partition they were in /var/tmp/ on a few differernt netrangers they contain nothing but ip address with port 80 and the ip's can't be found in the netranger logs.
We have old logfiles that we move to dump_old directory and when purging files at 90% would like to purge files from that directory. Instead of /var/log/dump
I know where to edit the config file sapd.conf I was wondering were some of the variables are pulled from to modify or if I can create new variables for like a new $PathDump variable etc...
The best way to start is to filter the data so you know what signatures fire most often then start by investigating those maybe entering excluded patterns or possible tuning the sig depending on your network. Just work your way down the list Using t...
I know what it is supposed to trigger on but my concern is that it triggers on one echo reply in most cases that I have seen. There may be multple request but one reply triggers it usually during icmp network sweeps.