Re: snort rules (Was: Attack alert from snort)

To: Martin Domig <md@ims.at>
Cc: debian-security@lists.debian.org
Subject: Re: snort rules (Was: Attack alert from snort)
From: Jigal Weinberg <jigal@cistron-office.nl>
Date: Thu, 12 Jul 2001 12:05:41 +0200
Message-id: <[🔎] 20010712120541.B12772@cistron-office.nl>
In-reply-to: <[🔎] 20010712103341.B3145@linuxpunk.org>; from md@ims.at on Thu, Jul 12, 2001 at 10:33:42AM +0200
References: <[🔎] 00f001c1062d$0e8cfba0$0600a8c0@logisys.ht> <[🔎] 20010712103341.B3145@linuxpunk.org>

On Thu, 12 Jul 2001, Martin Domig wrote:

> Hello
> 
> As I am using snort I keep getting many warnings in my logfiles which I
> don't know what they mean. For example the following entry:
> 
> Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon
> Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25

Again you might want to check out the rule itself and the stream/packet
content. Some rules are prone to false positives.

 
> This tells me that someone is doing funny stuff to my mailserver (I keep
> getting those all the time), but I don't know what is causing this entry
> and how "dangerous" this "attack" is. Is there any resource where I can
> search for snort warnings (those IDSxxx codes) and look up more information
> about a single snort rule?


You can check out these IDS(\d+) at www.whitehats.com where you can
also find new rules and updates to older ones.


greets


Jigal


-- 
I can run SETI@HOME with total impunity! FORTY-TWO !
	- cerebro <played by erwin in a DEC Alpha GS320>

Reply to:

References:
- Attack alert from snort
  - From: "Philippe Clérié" <philippe@gcal.net>
- snort rules (Was: Attack alert from snort)
  - From: "Martin Domig" <md@ims.at>

Prev by Date: Re: secured bind default?
Next by Date: Re: secured bind default?
Previous by thread: snort rules (Was: Attack alert from snort)
Next by thread: Re: snort rules (Was: Attack alert from snort)
Index(es):
- Date
- Thread