Full Disclosure mailing list archives
"Alert mangling" in Snort version >= 2.0.6 and < 2.1.1-RC1
From: Nicob <nicob () nicob net>
Date: Tue, 17 Feb 2004 12:36:23 +0100
Not really a vulnerability, but "alert mangling" could be a serious problem if the analysts (or the correlation engine) mainly use the classification made by Snort rather than the packet payload : "Signature mangling fixes" http://cvs.sourceforge.net/viewcvs.py/snort/snort/RELEASE.NOTES?rev=1.3 "There is a known bug since Snort 2.0.6 where the wrong label gets attached to alerts. It's been fixed in the CVS and will be released as version 2.1.1 (if it hasn't already)." http://sourceforge.net/mailarchive/message.php?msg_id=7072376 I've seen many wrong classifications because of this bug. It's weird, but the wrongly classified entries often get a "MS-SQL Worm propagation attempt" name. Example : a "open proxies" SYN scan [**] [1:2003:2] MS-SQL Worm propagation attempt [**]
02/15-17:41:08.045761 A.B.C.D:4156 -> W.X.Y.Z:3128
-- Nicob <nicob () nicob net> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- "Alert mangling" in Snort version >= 2.0.6 and < 2.1.1-RC1 Nicob (Feb 17)