Re: accuracy of snort?

[Martin Roesch <roesch () sourcefire com>]

Hi Pontus,
     Snort itself is extremely accurrate, but the rules that are given
to it may not always be.  You should always look at the rule that caused
an alert to go off to see if it will be "promiscuous" in the general
case when you're wondering about false positives.  This one looks pretty
specific, so I'd say that something fishy may very well have happened.

     -Marty

Pontus Joakimsson wrote:
> How accurate is the alerts in snort?
>
> found this in the logs this morning... how seriously should i take it?
> (there were only one incident from this host)
>
> -----------------------------------------------------
> [**] [1:657:2] SMTP chameleon overflow [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
> 08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25
> TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420
> ***A**** Seq: 0x569FF343  Ack: 0x84528B3E  Win: 0x25BC  TcpLen: 20
> [Xref => http://www.securityfocus.com/bid/2387]
> [Xref => http://www.whitehats.com/info/IDS266]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261]
> -----------------------------------------------------
>
> Regards,
>   Pontus Joakimsson
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users