Snort mailing list archives

Re: Help with Alerts

From: Joel Esler <jesler () sourcefire com>
Date: Sat, 8 Sep 2012 07:53:52 -0400

If you are using pulledpork, it should generate your Sid-MSG.map for you. Are you using pulledpork?

--
Joel Esler
Sent from my iPad 

On Sep 8, 2012, at 7:21 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote:

Hi all,
 Could someone help out why I am not able to identify this alert in any of the files?

09/08-16:25:26.843914  [**] [1:18608:6] Snort Alert [1:18608:0] [**] [Classification: Potential Corporate Privacy 
Violation] [Priority: 1] {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
09/08-16:26:15.505341  [**] [1:18608:6] Snort Alert [1:18608:0] [**] [Classification: Potential Corporate Privacy 
Violation] [Priority: 1] {TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
09/08-16:26:22.182389  [**] [1:18608:6] Snort Alert [1:18608:0] [**] [Classification: Potential Corporate Privacy 
Violation] [Priority: 1] {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
09/08-16:27:12.671644  [**] [1:18608:6] Snort Alert [1:18608:0] [**] [Classification: Potential Corporate Privacy 
Violation] [Priority: 1] {TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
09/08-16:27:19.259019  [**] [1:18608:6] Snort Alert [1:18608:0] [**] [Classification: Potential Corporate Privacy 
Violation] [Priority: 1] {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80

The sid corresponds to app-detect.rules (Dropbox activity), but i cant locate that sid in sid-msg.map. Why so? Am i 
looking at the wrong place? 

Snort version 2.9.3.1

Thanks...
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Help with Alerts Pratik Narang (Sep 08)
- Re: Help with Alerts Joel Esler (Sep 08)
  - Re: Help with Alerts waldo kitty (Sep 08)
    - Re: Help with Alerts James Lay (Sep 09)
    - Re: Help with Alerts waldo kitty (Sep 09)
    - Re: Help with Alerts Joel Esler (Sep 09)
    - Re: Help with Alerts Michael Steele (Sep 09)
    - Re: Help with Alerts Joel Esler (Sep 09)
    - Re: Help with Alerts Michael Steele (Sep 09)
    - Re: Help with Alerts Joel Esler (Sep 09)
  - Message not available
    - Message not available
    - Message not available
    - Help with Alerts Pratik Narang (Sep 09)
    - Re: Help with Alerts waldo kitty (Sep 09)

(Thread continues...)