Re: accuracy of snort?

[Kiira Triea <kiira-t () mail bsasinc org>]

> How accurate is the alerts in snort?
>
> found this in the logs this morning... how seriously should i take it?
> (there were only one incident from this host)
>
> -----------------------------------------------------
> [**] [1:657:2] SMTP chameleon overflow [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
> 08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25
> TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420
> ***A**** Seq: 0x569FF343  Ack: 0x84528B3E  Win: 0x25BC  TcpLen: 20
> [Xref => http://www.securityfocus.com/bid/2387]
> [Xref => http://www.whitehats.com/info/IDS266]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261]
> -----------------------------------------------------

Hi... there is a methodology to analysis. Try first to read the
references (mitre,arachNIDS, etc.)in the alert and see the signature
which triggered the alert; evaluate whether the alert applies to your
system (this one is for Chameleon smptd so maybe is not specific for
your OS and smtp daemon); then look at the packet payload, flags,
etc. and see... was it really a buffer overflow attempt or a cat who
sat on a keyboard and acccidentally inserted 1k ^D into an email?

I am always telling "Managers" where I work... the IDS just gives data,
the analysis comes from me. 

HTH, 

Kiira 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users