Snort mailing list archives

Previous By Date Next
Previous By Thread Next

newbq: snort working, getting hits, got sig id's. What now?

From: "Thomison, Lee" <ThomisonL () muni org>
Date: Thu, 29 Nov 2012 14:29:43 -0900
Pardon the newbie question, but...

I've got snort up and running (via security onion 12.04), got latest vrt rules, etc.  Let it run overnight and now I've 
got hits (surprise, surprise).  I've got sig id's for the first couple of high event count hits I want to look at, but 
what now?  Where do I go next or what do I do next to decide whether I have a problem or not?

Here's the two sigs I want to use as trainers for myself:

SIG ID

2102649            GPL SQL service_name buffer overflow attempt
2102650            GPL SQL user name buffer overflow attempt

Where do I go to get more information on a sig id?

Now, in this case, the source ip is an old control systems box sending data to a couple of oracle databases.  The 
source and dest IP's correspond with the 'right' boxes.  So I suspect that this is simply a result of the vendor or 
oracle (or both) being sloppy.  But how do I confirm (or not) ?

FWIW googling showed lots of info on how to write rules, but nothing on what to do after a hit.

Thanks!



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
TUNE You got it built. Now make it sing. Tune shows you how.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: