Snort mailing list archives
RE: accuracy of snort?
From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Wed, 8 Aug 2001 12:17:47 +0100
This particular rule: alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS266/smtp_smtp-chameleon-overflow"; dsize: >500; flags: A+; content: "HELP "; depth: 5; nocase; classtype: system-attempt; reference: arachnids,266;) And from the Arachnids link: False Positives There are reported incidents where legitimate traffic may cause an intrusion detection system to raise "false positive" alerts for this event. The following details have been reported: Vulnerablity scan by nessus Doesn't do much content matching - it's not impossible that a real HELP command was longer than 500 characters, but it's unlikely. This brings up a point - it would be good if rules could have a "likelihood of falseness" field. Regards, Phil +------------------------------------------+ | Phil Mayers | | Network & Infrastructure Group | | Information & Communication Technologies | | Imperial College | +------------------------------------------+ -----Original Message----- From: Pontus Joakimsson [mailto:jpontus () ess nec de] Sent: 08 August 2001 10:45 To: snort-users () lists sourceforge net Subject: [Snort-users] accuracy of snort? How accurate is the alerts in snort? found this in the logs this morning... how seriously should i take it? (there were only one incident from this host) ----------------------------------------------------- [**] [1:657:2] SMTP chameleon overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25 TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420 ***A**** Seq: 0x569FF343 Ack: 0x84528B3E Win: 0x25BC TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2387] [Xref => http://www.whitehats.com/info/IDS266] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261] ----------------------------------------------------- Regards, Pontus Joakimsson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- accuracy of snort? Pontus Joakimsson (Aug 08)
- Re: accuracy of snort? Kiira Triea (Aug 08)
- Re: accuracy of snort? Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: accuracy of snort? Mayers, Philip J (Aug 08)
- RE: accuracy of snort? Sloan, Craig (Aug 08)