Snort mailing list archives
Re: where can i find info about events
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 May 2004 11:27:59 -0400
At 09:49 AM 5/10/2004, derk van de Velde wrote:
hi, where can i find info about e.g. attempted information leak" how severe is it? im new regards, derk
"Attempted information leak" is a class of alerts, not any specific event. There are dozens of rules in this class, some severe, some not.
If you want some description of a specific alert, enter it's SID into the rule documentation search that's on www.snort.org.
For example this alert: [**] [1:1549:11] SMTP HELO overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] xx/xx-xx:55:36.462727 xx.xx.xx.xx:xxxxx -> xx.xx.xx.xx:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:52 ***AP*** Seq: 0xxxxxxxxx Ack: 0xxxxxxxxx Win: 0x415B TcpLen: 20 has a SID of 1549. Which I extracted from [1:1549:11]Note that the first digit must be 1: for it to be a rule. Anything else is generated by the preprocessors and isn't documented in the rule docs, it's documented in the docs for the preprocessor itself.
Entering 1549 into the search gets me this: http://www.snort.org/snort-db/sid.html?sid=1549 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- where can i find info about events derk van de Velde (May 10)
- Re: where can i find info about events Matt Kettler (May 10)