Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote:
> As I am using snort I keep getting many warnings in my logfiles which I
> don't know what they mean. For example the following entry:
> Jul 11 01:17:46 keeper snort: IDS266 - CAN-1999-0261 - SMTP Chameleon
> Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25
> This tells me that someone is doing funny stuff to my mailserver (I keep
> getting those all the time), but I don't know what is causing this entry
> and how "dangerous" this "attack" is. Is there any resource where I can
> search for snort warnings (those IDSxxx codes) and look up more information
> about a single snort rule?
All Chameleon alerts I've seen where false positives. Basically any ip
packet directed to TCP port 25 longer than 500 bytes and having the word
help in the first 5 bytes triggers the rule. I don't think it's possible
to tell snort the difference between a false alert and a real intrusion.