Re: How to find Snort ID in /var/log/snort/alert records?

[Nigel Houghton <nigel () sourcefire com>]

On  0, snort-users-request () lists sourceforge net allegedly wrote:
> Today's Topics:
>
>    1. How to find Snort ID in /var/log/snort/alert records? (James Sinnamon)
> --__--__--
>
> Message: 1
> From: James Sinnamon <frodo000 () bigpond net au>
> Reply-To: James Sinnamon <frodo000 () bigpond net au>
> To: snort-users () lists sourceforge net
> Date: Mon, 27 Sep 2004 15:01:20 +1000
> Subject: [Snort-users] How to find Snort ID in /var/log/snort/alert records?
>
> Dear Snort users,
>
> I have had Snort running since May on a Debian
> Linux system, but I still do not know how to 
> use the information in  /var/log/snort/alert*.
> I bought "Snort for Dummies" to kick start 
> myself, but the description of the alert records
> des not correspond to what I find on my system. 
>
> In particular, I am unable to 
> obtain a 'Snort ID' which matches anything at: 
>
>   http://www.snort.org/cgi-bin/done.cgi
>
> (For all I know, my firewalled system, 
> running an SMTP server, Mailman, sshd and 
> Apache, may well have been hacked into
> and totally compromised in this period of time,
> and Snort may have changed to output only 
> gibberish.)
>
> The content of /var/log/alert now includes (with IP addrs changed):
>
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
> TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
> ***AP*** Seq: 0xF0F14CE9  Ack: 0xF0CED3A  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 175525 948682168
>
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
> TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
> ***AP*** Seq: 0xF120D22B  Ack: 0x778B898C  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 176608 939098917
>
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> 09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
> TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x69DCF1BA  Ack: 0xFBBF7BBA  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 368601 648869733
>
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
> 09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
> TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
> ***AP*** Seq: 0x6CC6FC5C  Ack: 0xCED41371  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 373991 780114678
>
> ... do the above records contain snort ID's?  The closest I can find are:
>  [119:16:1], [119:15:1], and [119:2:1].

correct, these are in the format [ generator id : snort id : revision ],
this means you have a generator id of 119 and snort ids of 16, 15 and 2 all
of which are revision number 1. Generator id 119 relates to http_inspect,
look in gen-msg.map for all the others. The (http_inspect) in the message
is also a dead giveaway.

> Also, I am not sure which of the port pairs is meant to be the source and 
> which is meant to be the destination.  Are the above, records of :
>
>   !)  attempts to hack into my system (147.16.81.75), or
>   2) or attempts by processes on my system to hack into other 
>        systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?


The direction indicator in the event message indicates the events are
coming from 147.16.81.75 and going to the addresses indicated.

More information on the events can be found at:

 http://www.snort.org/snort-db/sid.html?sid=119-16

 http://www.snort.org/snort-db/sid.html?sid=119-15

 http://www.snort.org/snort-db/sid.html?sid=119-2


> TIA 
>
> James
>
> -- 
> James Sinnamon
> frodo000@bigpond net au 
> +61 412 319669, +61 2 95692123
 
+-------------------------------------------------------------------------+
   ,,_   Nigel Houghton      Research Engineer       Sourcefire Inc.
  o"  )~               Vulnerability Research Team
   ''''  
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users