Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: finding which rule

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 24 Jul 2014 13:57:20 -0600
On 2014-07-24 13:02, Richard Smollett wrote:

Im getting a lot of alerts that look like this.

[**] [129:20:1] Snort Alert [129:20:1] [**] [Classification:
Potentially Bad Traffic] [Priority: 2] 07/24-14:15:35.196146
172.28.61.104:22 -> 172.28.61.88:20309 TCP TTL:64 TOS:0x10 ID:59076
IpLen:20 DgmLen:104 DF ***AP*** Seq: 0x8055FA2A Ack: 0x450C8A09 Win:
0x545 TcpLen: 20

 How do I go about finding the rule that generated this alert?


 From README.stream5:

Alerts
======
Stream5 uses generator ID 129.  It is capable of alerting on 10
anomalies, all of which relate to TCP anomalies.  There are no
anomaly detection capabilities for UDP or ICMP.  Check etc/gen-msg.map
for the current list of GID 129 alerts.

and from gen-msg.map:

129 || 20 || stream5: TCP session without 3-way handshake

James

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: