Re: Definitions of snort signatures

["Don Weber" <Don.Weber () mail tamucc edu>]

I found the sp_reference.h but I am not sure how to implement it.  None of the links that show up on the snortsnarf 
webpages link to a description of the alert.  Is there a flag that needs to be set when I start snort or when I run 
snortsnarf?  If I find the sp_reference.h and .c in the snort dir was it included in the build without setting a flag?  
Thanks for the help......Don

> > > cmg () uab edu 11/13/01 08:40AM >>>
"Don Weber" <Don.Weber () iris tamucc edu> writes:

> I am doing a research project, analyzing our schools network for
> attacks, and I am getting good results using snort and snortsnarf.
> But I have no idea what the signatures mean.  Is there any
> documentation anyplace that explains what each signature means and why
> the packet was flagged? 

A good number of the rules have a references field.  This maps to
information about the rule.

The reason packets are flagged is because they match the rule and the
reason the rule was written is often described in the refernces
section.

SnortSnart parses them and provides links or you can look at
sp_reference.h

#define BUGTRAQ_URL_HEAD   "http://www.securityfocus.com/bid/";
#define CVE_URL_HEAD       "http://cve.mitre.org/cgi-bin/cvename.cgi?name=";
#define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS";
#define MCAFEE_URL_HEAD    "http://vil.nai.com/vil/dispVirus.asp?virus_k=";
#define URL_HEAD           "http://";

eg: reference: bugtraq, 1991 -> http://www.securityfocus.com/bid/1991 
-- 
Chris Green <cmg () uab edu>
Don't use a big word where a diminutive one will suffice.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users