Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Alerts

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Mar 2003 11:53:00 -0500
At 02:38 PM 3/19/2003 +1100, Elvira_Byrnes () mobileinnovations com au wrote:

Hi Everybody
I am looking after the Snort box that the previous administrator setup. I am new to it.
When I look at the logs how do I tell if there was a successful attempt of breaking into the company? My manager wants to be regularly updated on what is happening.
Quite frankly, there's usually no simple way to look at snort data and tell right off if there was a successful attempt to break in. Heck, there's usually no way to tell right off if there was even an attempt or merely something unusual. At least, not without a fair amount of knowledge about networks.
Snort is not a replacement for a network admin doing some homework about what's going on, it's merely a tool that provides some information that's useful in seeing it. Once you're well versed in security and networks, you can usually look at the output and with a little thought figure out what happened.
So how do you read up enough to be able to read your snort logs? Below is an answer I wrote a while ago to the question "how do I read snort logs?" It's not all inclusive, but does cover most of the bases. 

----------------------------------

Read them with a text editor? :)
More seriously, if the majority of snort output isn't self explanatory, or at least explanatory enough that you can ask some more specific questions than that, then you're likely to need to learn a LOT more than I, or anyone else, can convey in email. You'll probably need to read up a lot here.
It would be impossible to simplify snort to a level that someone who knows nothing about networks could understand it. It's inherently complicated information, but a good, well rounded systems admin or router admin should already know enough to handle it, or at least know where to start looking for answers.
There's some basic subjects you'll need to know about, and I'm going to try to add some website links where you can read up a bit on each subject. If you already know a good bit about this stuff, but just need some specific information about certain ports/packet patterns, skip to number 5, and if that doesn't help, post a specific question on this list.
1)You'll need to understand some basics of IP, TCP, and UDP. Things like destination addresses, source addresses, common ports, what TCP SYN, FIN and RST mean, etc. The same kind of basic knowledge of the internet you need to successfully configure a multi-interface router applies here, although you don't need to know router syntax. 
        A truly basic "intro to TCP/IP"
        http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

        A reasonable looking TCP/IP FAQ:
        http://www.itprc.com/tcpipfaq/default.htm

        basics of firewalls, DMZ's, etc.
        http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html
2) You'll need to understand some basics of how network attacks work. I'd Recommend skimming over "Smashing the Stack for fun and profit" by Aleph one. A deep understanding isn't necessary, but a casual read of this will give you some helpful basics in understanding the kinds of things that happen in an attack, and give you a better understanding of what to look for. 
        http://www.insecure.org/stf/smashstack.txt
3) also a good guide on securing systems is helpful, something like this one: 
        http://www.openna.com/products/books/sol/solus.php
        or this one:
        http://www.seifried.org/lasg/
4) You'll need to understand the basics of internet servers, ie: what DNS, HTTP, FTP, SMTP, etc are for. Most of that should be covered in the various other references I've made here.
5) here's an excellent reference on "oddball" traffic patterns commonly seen at network borders, also very helpful 
                http://www.robertgraham.com/pubs/firewall-seen.html



-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? 
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: