[prev in list] [next in list] [prev in thread] [next in thread]
List: sguil-users
Subject: [Sguil-users] How to know if alert is valid or false?
From: Jim Balo <jimbalo22 () yahoo ! com>
Date: 2008-09-19 5:50:14
Message-ID: 292577.72785.qm () web63005 ! mail ! re1 ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
In analyzing some high-priority alerts I get in Sguil, I find it really hard to know \
if what I am looking at is an attack attempt or just poorly formatted data that \
happens to trigger an alert. Example of two alerts:
"WEB-CLIENT Adobe BMP image handler buffer overflow attempt" (SID=13685) (source: \
Digex, Incorporated.)
"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt" (SID=3634) \
(source: Google.com)
I have other similar alerts, many from Yahoo. The fact that the alert is coming from \
Google or Yahoo probably makes it safe to assume that it is a false alert or \
triggered by malformed data, but it still feels a bit reckless to ignore alerts only \
based on that. But short of studying the internal structure of BMPs or other image \
formats, etc., how would you really be able to tell?
Any advice on how to quickly come to a sound decision on alerts like these would be \
great.
Thanks,
JB
[Attachment #5 (text/html)]
<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: \
inherit;"><DIV>Hi,</DIV> <DIV> </DIV>
<DIV>In analyzing some high-priority alerts I get in Sguil, I find it really \
hard to know if what I am looking at is an attack attempt or just poorly formatted \
data that happens to trigger an alert. Example of two alerts:</DIV> \
<DIV> </DIV> <DIV>"WEB-CLIENT Adobe BMP image handler buffer overflow attempt" \
(SID=13685) (source: Digex, Incorporated.)</DIV> <DIV> </DIV>
<DIV>"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt" \
(SID=3634) (source: Google.com)</DIV> <DIV> </DIV>
<DIV>I have other similar alerts, many from Yahoo. The fact that the alert is \
coming from Google or Yahoo probably makes it safe to assume that it is a false alert \
or triggered by malformed data, but it still feels a bit reckless to ignore alerts \
only based on that. But short of studying the internal structure of BMPs or \
other image formats, etc., how would you really be able to tell? </DIV> \
<DIV> </DIV> <DIV>Any advice on how to quickly come to a sound decision on \
alerts like these would be great.</DIV> <DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV>JB</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></td></tr></table><br>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic