Snort mailing list archives

RE: accuracy of snort?

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Wed, 8 Aug 2001 12:17:47 +0100

This particular rule:

alert TCP $EXTERNAL any -> $INTERNAL 25 (msg:
"IDS266/smtp_smtp-chameleon-overflow"; dsize: >500; flags: A+; content:
"HELP "; depth: 5; nocase; classtype: system-attempt; reference:
arachnids,266;) 

And from the Arachnids link:

False Positives
There are reported incidents where legitimate traffic may cause an intrusion
detection system to raise "false positive" alerts for this event. The
following details have been reported: 
Vulnerablity scan by nessus 

Doesn't do much content matching - it's not impossible that a real HELP
command was longer than 500 characters, but it's unlikely. This brings up a
point - it would be good if rules could have a "likelihood of falseness"
field.

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Pontus Joakimsson [mailto:jpontus () ess nec de]
Sent: 08 August 2001 10:45
To: snort-users () lists sourceforge net
Subject: [Snort-users] accuracy of snort?


How accurate is the alerts in snort?

found this in the logs this morning... how seriously should i take it?
(there were only one incident from this host)

-----------------------------------------------------
[**] [1:657:2] SMTP chameleon overflow [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25
TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420
***A**** Seq: 0x569FF343  Ack: 0x84528B3E  Win: 0x25BC  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2387]
[Xref => http://www.whitehats.com/info/IDS266]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261]
-----------------------------------------------------

Regards,
  Pontus Joakimsson

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

accuracy of snort? Pontus Joakimsson (Aug 08)
- Re: accuracy of snort? Kiira Triea (Aug 08)
- Re: accuracy of snort? Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: accuracy of snort? Mayers, Philip J (Aug 08)
- RE: accuracy of snort? Sloan, Craig (Aug 08)