Not really a vulnerability, but "alert mangling" could be a serious problem if the analysts (or the correlation engine) mainly use the classification made by Snort rather than the packet payload :
"Signature mangling fixes" http://cvs.sourceforge.net/viewcvs.py/snort/snort/RELEASE.NOTES?rev=1.3 "There is a known bug since Snort 2.0.6 where the wrong label gets attached to alerts. It's been fixed in the CVS and will be released as version 2.1.1 (if it hasn't already)." http://sourceforge.net/mailarchive/message.php?msg_id=7072376 I've seen many wrong classifications because of this bug. It's weird, but the wrongly classified entries often get a "MS-SQL Worm propagation attempt" name. Example : a "open proxies" SYN scan [**] [1:2003:2] MS-SQL Worm propagation attempt [**] > 02/15-17:41:08.045761 A.B.C.D:4156 -> W.X.Y.Z:3128 -- Nicob <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
