Snort mailing list archives
Re: alert file
From: Zachary Uram <yoda () orion netrek org>
Date: 23 Oct 2002 23:15:15 -0400
On Thu, 2002-10-24 at 01:52, Alberto Gonzalez wrote:
Actually, you should be concerned on _ALL_ alerts (for the first few days/weeks) until you establish whats false (if any?) or whats truly alerts/attacks. When I first started, I would research what snort gave me alerts on, learn about the attack, and to see if I was vulnerable. This has helped me greatly in my journey.
Hi Alberto, Ok. So I will be paranoid.
These really get annoying(poor access_log), I personally (and mine is unix based) don't care about any IIS attacks aimed at my network. I could careless what IIS junk they throw at me. You should customize your RULESET to pertain to your network(running services, users, etc..) No need to run IIS rules if your using Apache(same goes for other stuff as well).
I am also *nix based (Debian Linux flavor) and I do run Apache as my webserver. access_log is a snort function?
[**] [1:618:1] INFO - Possible Squid Scan [**] [Classification: Attempted Information Leak] [Priority: 2] 06/02-01:04:42.391610 66.140.25.157:41324 -> 209.114.157.102:3128 TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF ******S* Seq: 0xB12412FE Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0I've seen Squid scan attempts when nmap[1] is ran at your network. Just someone doing some information gathering on your subnet. I could be wrong, just trying to give you a general idea.
Ok. In the above example could you explain exactly what all the values/data mean? Is there a nice snort html/pdf/ps manual which explicitly explains all this?
Just spp_portscan letting you know whats up :-)
spp_portscan is another snort function?
Can't say I've seen this before, then again, I have everything pertaining to windows turned off.. no need for 'noise'.
Yah I'd like to do that also.
Hope it Helps
Thanks! BTW, does one only need to run 1 IDS system? Since I am running snort is that all I need? What about firewalling? How to let snort know about my firewall rules? I suspect snort may be logging some legitmate services I am running: tcpspy, tcplogd, portsentry, icmplogd, ippl, scandetd, tinyproxy. Should I consider removing some of these now that I am running snort? (i.e. don't muddy the waters) Zach Zach ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 24)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Snort logging to mysql Edward W. Ray (Oct 23)