[Wolves] Worrying SNORT results
fizzy
wolves at mailman.lug.org.uk
Thu Feb 20 12:13:00 2003
Certainly looks suspect, especially the:
1 217.32.252.50 217.34.234.217 NNTP return
code buffer overflow attempt
line. Fragroute tries to evade IDS detection by
"monkeying around with the packets", the way snort
picks it up IIRC is weird, and can pick up a lot of
false positives.
http://monkey.org/~dugsong/fragroute/
Are you running an NNTP server? Are you running
tripwire (or similar) on any of your boxes?
fizz
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com