Snort mailing list archives
Re: id check returned root ?!?!
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 28 Jun 2003 13:57:50 -0500
On Sat, 2003-06-28 at 12:31, Michael D. Schleif wrote:
Also sprach Nicholas Delo (Sat 28 Jun 02003 at 12:58:26PM -0400):Check the packet contents to make sure that it is not a false positive.
Is it safe to *assume* that if my box is _not_ the destination `to', then I am *NOT* under attack?
Nope. For one, never assume :) We can probably list dozens of scenarios where the assumption doesn't hold up. Second, I argue that signature descriptions and source/dest are still meaningless by themselves (unless we reach a state of 0 false positives... like that is ever gonna happen). Instead do as Nicholas said: Check the packet content. In my opinion, signature names, classes, which side (src or dst) your IP is on, are only indications or guesses. Only the packet content can reveal the truth to you. (That's why IDS's that don't show packet content suck big time...) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)
- Re: id check returned root ?!?! james (Jun 28)
- Re: id check returned root ?!?! Nicholas Delo (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Frank Knobbe (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)