[Snort-users] Snort 2.1.0, getting mixed up signatures.
skip at ...1552...
Mon Feb 9 16:24:25 EST 2004
> On Tue, Jan 20, 2004 at 12:14:00PM +0100, Patrik Astrom wrote:
> > I noticed today that Snort seems to be mixing up signatures, below you
> > will find a example from my alerts log.
> > [**] [1:2003:2] MS-SQL Worm propagation attempt [**]
> > [Classification: Misc Attack] [Priority: 2]
> > 01/09-16:34:45.969351 188.8.131.52:53 -> 62.xx.xx.xx:0
> > ...
> > Clearly the first example is NOT a MS-SQL Worm, is there a known issue
> > with Snort mixing up signatures ?, I would be most grateful for any hints
> > or suggestions you might have.
> I think this is an old bug I reported ages ago ("Definite corruption of
> addresses in Snort 2.02 alert" ; Message-ID:
> <20030929030424.GA20830 at ...294...>).
> i.e. I too have had snort claim to see things that just didn't happen.
> Has this issue being verified?
I am having this problem too, with Snort 2.1.0 and the (2.1) ruleset of
running on OpenBSD 3.2. I had no such problems when running Snort 2.0.0
The MS-SQL Worm alert is the only rule that I have noticed being incorrectly
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip at ...1552...
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 505 bytes
Desc: not available
More information about the Snort-users