Snort mailing list archives
Re: accuracy of snort?
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 08 Aug 2001 13:42:22 -0400
Hi Pontus, Snort itself is extremely accurrate, but the rules that are given to it may not always be. You should always look at the rule that caused an alert to go off to see if it will be "promiscuous" in the general case when you're wondering about false positives. This one looks pretty specific, so I'd say that something fishy may very well have happened. -Marty Pontus Joakimsson wrote:
How accurate is the alerts in snort? found this in the logs this morning... how seriously should i take it? (there were only one incident from this host) ----------------------------------------------------- [**] [1:657:2] SMTP chameleon overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 08/08-07:45:51.102745 209.246.10.170:64062 -> x.x.x.x:25 TCP TTL:231 TOS:0x0 ID:47600 IpLen:20 DgmLen:1420 ***A**** Seq: 0x569FF343 Ack: 0x84528B3E Win: 0x25BC TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2387] [Xref => http://www.whitehats.com/info/IDS266] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0261] ----------------------------------------------------- Regards, Pontus Joakimsson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- accuracy of snort? Pontus Joakimsson (Aug 08)
- Re: accuracy of snort? Kiira Triea (Aug 08)
- Re: accuracy of snort? Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: accuracy of snort? Mayers, Philip J (Aug 08)
- RE: accuracy of snort? Sloan, Craig (Aug 08)