Snort mailing list archives
Re: accuracy of snort?
From: Kiira Triea <kiira-t () mail bsasinc org>
Date: Wed, 8 Aug 2001 08:42:55 -0400 (EDT)
How accurate is the alerts in snort? found this in the logs this morning... how seriously should i take it? (there were only one incident from this host) ----------------------------------------------------- [**] [1:657:2] SMTP chameleon overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25 TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420 ***A**** Seq: 0x569FF343 Ack: 0x84528B3E Win: 0x25BC TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2387] [Xref => http://www.whitehats.com/info/IDS266] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261] -----------------------------------------------------
Hi... there is a methodology to analysis. Try first to read the references (mitre,arachNIDS, etc.)in the alert and see the signature which triggered the alert; evaluate whether the alert applies to your system (this one is for Chameleon smptd so maybe is not specific for your OS and smtp daemon); then look at the packet payload, flags, etc. and see... was it really a buffer overflow attempt or a cat who sat on a keyboard and acccidentally inserted 1k ^D into an email? I am always telling "Managers" where I work... the IDS just gives data, the analysis comes from me. HTH, Kiira _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- accuracy of snort? Pontus Joakimsson (Aug 08)
- Re: accuracy of snort? Kiira Triea (Aug 08)
- Re: accuracy of snort? Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: accuracy of snort? Mayers, Philip J (Aug 08)
- RE: accuracy of snort? Sloan, Craig (Aug 08)