On Thu, 12 Jul 2001, Martin Domig wrote: > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 > > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule?
http://www.whitehats.com/IDS/266 All Chameleon alerts I've seen where false positives. Basically any ip packet directed to TCP port 25 longer than 500 bytes and having the word help in the first 5 bytes triggers the rule. I don't think it's possible to tell snort the difference between a false alert and a real intrusion. -- Tot ziens, Bart-Jan
