'[Sguil-users] How to know if alert is valid or false?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sguil-users
Subject:    [Sguil-users] How to know if alert is valid or false?
From:       Jim Balo <jimbalo22 () yahoo ! com>
Date:       2008-09-19 5:50:14
Message-ID: 292577.72785.qm () web63005 ! mail ! re1 ! yahoo ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,
 
In analyzing some high-priority alerts I get in Sguil, I find it really hard to know \
if what I am looking at is an attack attempt or just poorly formatted data that \
happens to trigger an alert.  Example of two alerts:  
"WEB-CLIENT Adobe BMP image handler buffer overflow attempt" (SID=13685) (source: \
Digex, Incorporated.)  
"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt" (SID=3634) \
(source: Google.com)  
I have other similar alerts, many from Yahoo.  The fact that the alert is coming from \
Google or Yahoo probably makes it safe to assume that it is a false alert or \
triggered by malformed data, but it still feels a bit reckless to ignore alerts only \
based on that.  But short of studying the internal structure of BMPs or other image \
formats, etc., how would you really be able to tell?    
Any advice on how to quickly come to a sound decision on alerts like these would be \
great.  
Thanks,
JB
 
 
 


      


[Attachment #5 (text/html)]

<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: \
inherit;"><DIV>Hi,</DIV> <DIV>&nbsp;</DIV>
<DIV>In analyzing&nbsp;some high-priority alerts I get in Sguil, I find it really \
hard to know if what I am looking at is an attack attempt or just poorly formatted \
data that happens to trigger an alert.&nbsp; Example of two alerts:</DIV> \
<DIV>&nbsp;</DIV> <DIV>"WEB-CLIENT Adobe BMP image handler buffer overflow attempt" \
(SID=13685) (source: Digex, Incorporated.)</DIV> <DIV>&nbsp;</DIV>
<DIV>"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt" \
(SID=3634) (source: Google.com)</DIV> <DIV>&nbsp;</DIV>
<DIV>I have other similar alerts, many from Yahoo.&nbsp; The fact that the alert is \
coming from Google or Yahoo probably makes it safe to assume that it is a false alert \
or triggered by malformed data, but it still feels a bit reckless to ignore alerts \
only based on that.&nbsp; But short of studying the internal structure of BMPs or \
other image formats, etc., how would you really be able to tell?&nbsp; </DIV> \
<DIV>&nbsp;</DIV> <DIV>Any advice on how to quickly come to a sound decision on \
alerts like these would be great.</DIV> <DIV>&nbsp;</DIV>
<DIV>Thanks,</DIV>
<DIV>JB</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV></td></tr></table><br>

      



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic