Snort mailing list archives
How to find Snort ID in /var/log/snort/alert records?
From: James Sinnamon <frodo000 () bigpond net au>
Date: Mon, 27 Sep 2004 15:01:20 +1000
Dear Snort users, I have had Snort running since May on a Debian Linux system, but I still do not know how to use the information in /var/log/snort/alert*. I bought "Snort for Dummies" to kick start myself, but the description of the alert records des not correspond to what I find on my system. In particular, I am unable to obtain a 'Snort ID' which matches anything at: http://www.snort.org/cgi-bin/done.cgi (For all I know, my firewalled system, running an SMTP server, Mailman, sshd and Apache, may well have been hacked into and totally compromised in this period of time, and Snort may have changed to output only gibberish.) The content of /var/log/alert now includes (with IP addrs changed): [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80 TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF0F14CE9 Ack: 0xF0CED3A Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 175525 948682168 [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80 TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF120D22B Ack: 0x778B898C Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 176608 939098917 [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] 09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80 TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x69DCF1BA Ack: 0xFBBF7BBA Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 368601 648869733 [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] 09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80 TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF ***AP*** Seq: 0x6CC6FC5C Ack: 0xCED41371 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 373991 780114678 ... do the above records contain snort ID's? The closest I can find are: [119:16:1], [119:15:1], and [119:2:1]. Also, I am not sure which of the port pairs is meant to be the source and which is meant to be the destination. Are the above, records of : !) attempts to hack into my system (147.16.81.75), or 2) or attempts by processes on my system to hack into other systems (203.26.51.42, 202.139.107.20, 202.139.106.174)? TIA James -- James Sinnamon frodo000@bigpond net au +61 412 319669, +61 2 95692123 ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to find Snort ID in /var/log/snort/alert records? James Sinnamon (Sep 26)
- <Possible follow-ups>
- Re: How to find Snort ID in /var/log/snort/alert records? Nigel Houghton (Sep 27)