Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.1.0, getting mixed up signatures.

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 9 Feb 2004 12:41:02 +1300
On Tue, Jan 20, 2004 at 12:14:00PM +0100, Patrik Astrom wrote:

I noticed today that Snort seems to be mixing up signatures, below you
will find a example from my alerts log.

[**] [1:2003:2] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/09-16:34:45.969351 212.160.185.194:53 -> 62.xx.xx.xx:0
...
Clearly the first example is NOT a MS-SQL Worm, is there a known issue
with Snort mixing up signatures ?, I would be most grateful for any hints
or suggestions you might have.


I think this is an old bug I reported ages ago ("Definite corruption of
addresses in Snort 2.02 alert" ; Message-ID:
<20030929030424.GA20830 () trimble co nz>).

i.e. I too have had snort claim to see things that just didn't happen.

Has this issue being verified? 

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: