[Wolves] Worrying SNORT results

fizzy wolves at mailman.lug.org.uk
Thu Feb 20 12:13:00 2003


Certainly looks suspect, especially the:
1      217.32.252.50     217.34.234.217    NNTP return
code buffer overflow attempt

line.  Fragroute tries to evade IDS detection by
"monkeying around with the packets", the way snort
picks it up IIRC is weird, and can pick up a lot of
false positives. 
http://monkey.org/~dugsong/fragroute/

Are you running an NNTP server? Are you running
tripwire (or similar) on any of your boxes? 

fizz

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com