[Snort-users] id check returned root ?!?!

Frank Knobbe fknobbe at ...652...
Sat Jun 28 11:58:12 EDT 2003


On Sat, 2003-06-28 at 12:31, Michael D. Schleif wrote:
> Also sprach Nicholas Delo (Sat 28 Jun 02003 at 12:58:26PM -0400):
> > Check the packet contents to make sure that it is not a false positive.

> Is it safe to *assume* that if my box is _not_ the destination `to',
> then I am *NOT* under attack?

Nope. For one, never assume :)  We can probably list dozens of scenarios
where the assumption doesn't hold up. Second, I argue that signature
descriptions and source/dest are still meaningless by themselves (unless
we reach a state of 0 false positives... like that is ever gonna
happen). Instead do as Nicholas said: Check the packet content.

In my opinion, signature names, classes, which side (src or dst) your IP
is on, are only indications or guesses. Only the packet content can
reveal the truth to you. (That's why IDS's that don't show packet
content suck big time...)

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030628/a32f9ff5/attachment.sig>


More information about the Snort-users mailing list