I'm having trouble making sense of the rule numbering.
I want to make sure I'm identifying and managing the correct rules.
Example: I have the following rule being tripped:
/var/log/ips/2012/02/ips-2012-02-29.log.gz:2012:02:29-16:38:57 wahine snort[11695]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SMTP Ipswitch IMail Server Mailing List Message Subject buffer overflow" group="225" srcip="10.1.1.6" dstip="10.1.1.2" proto="6" srcport="54661" dstport="25" sid="19213" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
This appears to be a false positive so I want to turn it off.
However, sid 19213 does not exist in the Snort database.
Searching for the text of the rule comes up with the article shown at the bottom of this post.
Issues:
1) why don't the numbers align?
2) the snort article indicates there are no known false positive. I'd like to understand more.
Article below found here: Snort ::
Can someone help clarify?
Thanks
_______________snort description of similar [same?] rule ____________
SID 16201
« Back
Summary
This event is generated when an attempt is made to exploit a known vulnerability in imail server.
Impact
Denial of Service. Information disclosure. Loss of integrity.
Detailed Information
Format string vulnerability in the SMTP service in IMail Server 8.20 in Ipswitch Collaboration Suite (ICS) before 2.02 allows remote attackers to execute arbitrary code via format string specifiers to the (1) EXPN, (2) MAIL, (3) MAIL FROM, and (4) RCPT TO commands.
Affected Systems
ipswitch imail server 8.20
Attack Scenarios
Format string vulnerabilities can be very simple to attack. Any program that reads a format string as an input parameter can be exploited if the argument can be controlled by the attacker.
Ease Of Attack
Medium.
False Positives
None known.
This thread was automatically locked due to age.
