Snort 2.1.0, getting mixed up signatures.

[Patrik Astrom <astrom () hera corecomp se>]

Hi,

Im running Snort 2.1.0 on Redhat 7.3 on one of my external sensors, I
have my output set to log_unified and logging to a local directory
(/var/log/snort). Every 5 minutes I retrieve the current unified log to
another box running barnyard, mysql and Acid for proccessing, btw is it
safe to retrieve and unified log without "hup'ing" or restarting Snort ?.

I noticed today that Snort seems to be mixing up signatures, below you
will find a example from my alerts log.

[**] [1:2003:2] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/09-16:34:45.969351 212.160.185.194:53 -> 62.xx.xx.xx:0
UDP TTL:113 TOS:0x0 ID:41364 IpLen:20 DgmLen:36
Len: 8
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://www.securityfocus.com/bid/5311][Xref => 
http://www.securityfocus.com/bid/5310]

[**] [1:525:5] BAD-TRAFFIC udp port 0 traffic [**]
[Classification: Misc activity] [Priority: 3]
01/09-16:37:06.149054 212.160.185.194:53 -> 62.xx.xx.xx:0
UDP TTL:113 TOS:0x0 ID:41717 IpLen:20 DgmLen:36
Len: 8
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10074][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0675]


Clearly the first example is NOT a MS-SQL Worm, is there a known issue
with Snort mixing up signatures ?, I would be most grateful for any hints
or suggestions you might have.


Regards
Patrik Astrom, Stockholm



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users