Why is the povray.org news server filling my snort logs with

Date:02/21 13:09:51
Name:NNTP return code buffer overflow attempt
Priority:3
Type:Generic Protocol Command Decode
IP info: 204.213.191.226:119 -> 217.40.234.228:63679
References: none found
SID: 1792

http://www.snort.org/snort-db/sid.html?sid=1792

--
Rick

Kitty5 NewMedia http://Kitty5.co.uk
POV-Ray News & Resources http://Povray.co.uk
TEL : +44 (01270) 501101 - FAX : +44 (01270) 251105 - ICQ : 15776037

PGP Public Key
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x231E1CEA

Post a reply to this message

In article <3e5628fc$1@news.povray.org> , "Rick [Kitty5]" <ric### [at] kitty5com>
wrote:

> Why is the povray.org news server filling my snort logs with

Because your intrusion detection system is defective and reporting nonsense?

    Thorsten

____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde

Visit POV-Ray on the web: http://mac.povray.org

Post a reply to this message

On Fri, 21 Feb 2003 13:21:26 -0000
"Rick [Kitty5]" <ric### [at] kitty5com> wrote:

> Why is the povray.org news server filling my snort logs with

  A look at the snort rule quickly reveals that anything containing
"200 " and with a size >100, will be logged. An IDS is not an AI system,
it depends on the mantainer to investigate and remove false positives.
It's a hard work, but at some point you will have it nicely configured
to no report too many false positives. 

-- 
Jaime Vives Piqueres
		
La Persistencia de la Ignorancia
http://www.ignorancia.org

Post a reply to this message