[Snort-users] Snort 2.1.0, getting mixed up signatures.

Jason Haar Jason.Haar at ...294...
Sun Feb 8 15:42:01 EST 2004


On Tue, Jan 20, 2004 at 12:14:00PM +0100, Patrik Astrom wrote:
> I noticed today that Snort seems to be mixing up signatures, below you
> will find a example from my alerts log.
> 
> [**] [1:2003:2] MS-SQL Worm propagation attempt [**]
> [Classification: Misc Attack] [Priority: 2]
> 01/09-16:34:45.969351 212.160.185.194:53 -> 62.xx.xx.xx:0
> ...
> Clearly the first example is NOT a MS-SQL Worm, is there a known issue
> with Snort mixing up signatures ?, I would be most grateful for any hints
> or suggestions you might have.

I think this is an old bug I reported ages ago ("Definite corruption of
addresses in Snort 2.02 alert" ; Message-ID:
<20030929030424.GA20830 at ...294...>).

i.e. I too have had snort claim to see things that just didn't happen.

Has this issue being verified? 

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list