Snort mailing list archives
Re: Logs
From: John Sage <jsage () finchhaven com>
Date: Mon, 23 Sep 2002 08:55:40 -0700
Tim: On Sun, Sep 22, 2002 at 08:51:56PM -0500, Tim Plinth wrote:
I've been running snort for a short while now, and most of the stuff
in the logs I can understand. However there is stuff I dont have a clue about. Could you give be a link where I could read up on "understanding you snort logs" or explain it to me? If it's the entire packet itself you want to understand, get a copy of "TCP/IP Illustrated", vol.1, WR Stevens, Addison-Wesley pubs. If it's the snort alerts, my personal recommendation would be to learn how to find the specific rule that's been triggered, read the rule, and learn how to interpret it. You don't say what platform you're working on, but here's a *nix|*nux quick review: Given: "WEB-IIS CodeRed v2 /scripts/root.exe access" grep in /usr/local/your_snort_install_dir/ thus: [toot@sparky /usr/local/snort-rules]# grep 'CodeRed v2' * web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS CodeRed v2 root.exe access"; flags:A+; \ uricontent:"scripts/root.exe?"; nocase; \ classtype:web-application-attack; \ reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:6;) OK: This rule is looking for TCP flags = ACK plus others (see: TCP/IP Illus.); the string "scripts/root.exe?" in the packet payload; the string shall be case-insensitive A reference as to why this is important can be found at www.cert.org/advisories/CA-2001-19.html... Really the best way to do it is to work through several. See also the "Snort Users Manual" - mine's at version "Snort Release: 1.9.x - Martin Roesch - 26th April 2002" for snort 1.8.7 HTH.. - John -- "It's a troll! Run!^H^H^H^H Laugh!" PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logs Tim Plinth (Sep 22)
- Re: Logs John Sage (Sep 23)