Re: how to read logs

[mcmurry jim <jimmcmurry () yahoo com>]

Matt

As this is my first post to the list (just signed up
today) I must say I found your attitude to be, well,
very different than most I have seen in other lists,
where newbies are bashed with a passion.

Thank You !


Thanks for all the great information ! (Not that I
needed it, but after going through the SANS course
today, I found your posting to be most edificational
(if there is such a word) )

Jim



--- Matt Kettler <mkettler () EVI-INC COM> wrote:
> At 01:49 PM 12/18/2002 +0530, you wrote:
> > how to interpret logs generated by snort.
>
>
> Read them with a text editor? :)
>
> More seriously, if the majority of snort output
> isn't self explanatory, or 
> at least explanatory enough that you can ask some 
> more specific questions 
> than that, then you're likely to need to learn a LOT
> more than I, or anyone 
> else, can convey in email. You'll probably need to
> read up a lot here.
>
> It would be impossible to simplify snort to a level
> that someone who knows 
> nothing about networks could understand it. It's
> inherently complicated 
> information, but a good, well rounded systems admin
> or router admin should 
> already know enough to handle it, or at least know
> where to start looking 
> for answers.
>
> There's some basic subjects you'll need to know
> about, and I'm going to try 
> to add some website links where you can read up a
> bit on each subject. If 
> you already know a good bit about this stuff, but
> just need some specific 
> information about certain ports/packet patterns,
> skip to number 5, and if 
> that doesn't help, post a specific question on this
> list.
>
>
>
>          1)You'll need to understand some basics of
> IP, TCP, and UDP. 
> Things like destination addresses, source addresses,
> common ports, what TCP 
> SYN, FIN and RST mean, etc. The same kind of basic
> knowledge of the 
> internet you need to successfully configure a
> multi-interface router 
> applies here, although you don't need to know router
> syntax.
>          A truly basic "intro to TCP/IP"
>         
> http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM
>
>          A reasonable looking TCP/IP FAQ:
>          http://www.itprc.com/tcpipfaq/default.htm
>
>          basics of firewalls, DMZ's, etc.
>         
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html
>          2) You'll need to understand some basics of
> how network attacks 
> work. I'd Recommend skimming over "Smashing the
> Stack for fun and profit" 
> by Aleph one.  A deep understanding isn't necessary,
> but a casual read of 
> this will give you some helpful basics in
> understanding the kinds of things 
> that happen in an attack, and give you a better
> understanding of what to 
> look for.
>          http://www.insecure.org/stf/smashstack.txt
>
>          3) also a good guide on securing systems is
> helpful, something 
> like this one:
>         
> http://www.openna.com/products/books/sol/solus.php
>          or this one:
>          http://www.seifried.org/lasg/
>
>
>          4) You'll need to understand the basics of
> internet servers, ie: 
> what DNS, HTTP, FTP, SMTP, etc are for. Most of that
> should be covered in 
> the various other references I've made here.
>
>          5) here's an excellent reference on
> "oddball" traffic patterns 
> commonly seen at network borders, also very helpful
>                 
> http://www.robertgraham.com/pubs/firewall-seen.html
-------------------------------------------------------
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
>  Smart Putty.
> T H I N K G E E K . C O M      
> http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users