[Snort-users] Snort 2.1.0, getting mixed up signatures.

Skip Carter skip at ...1552...
Mon Feb 9 16:24:25 EST 2004


> On Tue, Jan 20, 2004 at 12:14:00PM +0100, Patrik Astrom wrote:
> > I noticed today that Snort seems to be mixing up signatures, below you
> > will find a example from my alerts log.
> > 
> > [**] [1:2003:2] MS-SQL Worm propagation attempt [**]
> > [Classification: Misc Attack] [Priority: 2]
> > 01/09-16:34:45.969351 212.160.185.194:53 -> 62.xx.xx.xx:0
> > ...
> > Clearly the first example is NOT a MS-SQL Worm, is there a known issue
> > with Snort mixing up signatures ?, I would be most grateful for any hints
> > or suggestions you might have.
> 
> I think this is an old bug I reported ages ago ("Definite corruption of
> addresses in Snort 2.02 alert" ; Message-ID:
> <20030929030424.GA20830 at ...294...>).
> 
> i.e. I too have had snort claim to see things that just didn't happen.
> 
> Has this issue being verified? 

  I am having this problem too, with Snort 2.1.0 and the (2.1) ruleset of 
2004-02-04,
  running on OpenBSD 3.2.   I had no such problems when running Snort 2.0.0

  The MS-SQL Worm alert is the only rule that I have noticed being incorrectly 
assigned.


Skip



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            











-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 505 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040209/34ea6ca6/attachment.sig>


More information about the Snort-users mailing list