Snort mailing list archives
Re: Snort 2.1.0, getting mixed up signatures.
From: Skip Carter <skip () taygeta com>
Date: Mon, 09 Feb 2004 16:04:01 -0800
On Tue, Jan 20, 2004 at 12:14:00PM +0100, Patrik Astrom wrote:I noticed today that Snort seems to be mixing up signatures, below you will find a example from my alerts log. [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] 01/09-16:34:45.969351 212.160.185.194:53 -> 62.xx.xx.xx:0 ... Clearly the first example is NOT a MS-SQL Worm, is there a known issue with Snort mixing up signatures ?, I would be most grateful for any hints or suggestions you might have.I think this is an old bug I reported ages ago ("Definite corruption of addresses in Snort 2.02 alert" ; Message-ID: <20030929030424.GA20830 () trimble co nz>). i.e. I too have had snort claim to see things that just didn't happen. Has this issue being verified?
I am having this problem too, with Snort 2.1.0 and the (2.1) ruleset of 2004-02-04, running on OpenBSD 3.2. I had no such problems when running Snort 2.0.0 The MS-SQL Worm alert is the only rule that I have noticed being incorrectly assigned. Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
Attachment:
_bin
Description:
Current thread:
- Snort 2.1.0, getting mixed up signatures. Patrik Astrom (Jan 20)
- Re: Snort 2.1.0, getting mixed up signatures. Jason Haar (Feb 08)
- Re: Snort 2.1.0, getting mixed up signatures. Erek Adams (Feb 09)
- Re: Snort 2.1.0, getting mixed up signatures. Skip Carter (Feb 09)
- Re: Snort 2.1.0, getting mixed up signatures. Jason Haar (Feb 08)