Re: snort rules (Was: Attack alert from snort)

To: Martin Domig <md@ims.at>
Cc: <debian-security@lists.debian.org>
Subject: Re: snort rules (Was: Attack alert from snort)
From: Bart-Jan Vrielink <bartjan@vrielink.net>
Date: Thu, 12 Jul 2001 14:46:36 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.33.0107121428500.2820-100000@vrielink>
In-reply-to: <[🔎] 20010712103341.B3145@linuxpunk.org>

On Thu, 12 Jul 2001, Martin Domig wrote:

> As I am using snort I keep getting many warnings in my logfiles which I
> don't know what they mean. For example the following entry:
>
> Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon
> Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25
>
> This tells me that someone is doing funny stuff to my mailserver (I keep
> getting those all the time), but I don't know what is causing this entry
> and how "dangerous" this "attack" is. Is there any resource where I can
> search for snort warnings (those IDSxxx codes) and look up more information
> about a single snort rule?

http://www.whitehats.com/IDS/266

All Chameleon alerts I've seen where false positives. Basically any ip
packet directed to TCP port 25 longer than 500 bytes and having the word
help in the first 5 bytes triggers the rule. I don't think it's possible
to tell snort the difference between a false alert and a real intrusion.

-- 
Tot ziens,

Bart-Jan

Reply to:

References:
- snort rules (Was: Attack alert from snort)
  - From: "Martin Domig" <md@ims.at>

Prev by Date: Re: was I cracked? (rpc.statd, new version)
Next by Date: Sudo and Chown?
Previous by thread: Re: snort rules (Was: Attack alert from snort)
Next by thread: Unidentified subject!
Index(es):
- Date
- Thread