Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Logs

From: John Sage <jsage () finchhaven com>
Date: Mon, 23 Sep 2002 08:55:40 -0700
Tim:

On Sun, Sep 22, 2002 at 08:51:56PM -0500, Tim Plinth wrote:

I've been running snort for a short while now, and most of the stuff

in the logs I can understand. However there is stuff I dont have a
clue about. Could you give be a link where I could read up on
"understanding you snort logs" or explain it to me?

If it's the entire packet itself you want to understand, get a
copy of "TCP/IP Illustrated", vol.1, WR Stevens, Addison-Wesley pubs.

If it's the snort alerts, my personal recommendation would be to learn
how to find the specific rule that's been triggered, read the rule,
and learn how to interpret it.

You don't say what platform you're working on, but here's a *nix|*nux
quick review:

Given:

"WEB-IIS CodeRed v2 /scripts/root.exe access"

grep in /usr/local/your_snort_install_dir/ thus:

[toot@sparky /usr/local/snort-rules]# grep 'CodeRed v2' *

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-IIS CodeRed v2 root.exe access"; flags:A+; \
uricontent:"scripts/root.exe?"; nocase; \
classtype:web-application-attack; \
reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:6;)

OK:

This rule is looking for TCP flags = ACK plus others (see: TCP/IP
Illus.); the string "scripts/root.exe?" in the packet payload; the
string shall be case-insensitive

A reference as to why this is important can be found at
www.cert.org/advisories/CA-2001-19.html...


Really the best way to do it is to work through several.

See also the "Snort Users Manual" - mine's at version "Snort Release:
1.9.x - Martin Roesch - 26th April 2002" for snort 1.8.7

HTH..


- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: