Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: finding which rule

From: Richard Smollett <yawningdogge () gmail com>
Date: Thu, 24 Jul 2014 16:10:30 -0400
1. I didn't explicitly put them there, but I've checked all the files
against the snort.conf and pulledpork.conf files and the files/directories
are indeed there.
2. Sorry, but I'm not seeing those stats anywhere when I start or stop
snort. Do I need a specific tag to generate them?


On Thu, Jul 24, 2014 at 4:03 PM, Y M <snort () outlook com> wrote:


 Date: Thu, 24 Jul 2014 15:52:50 -0400

From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule

I use pulledpork.

1. When you deployed Snort, did you copy all of the necessary files to the
respective directories (so_rules, preproc_rules, etc.)?
2. When you run Snort, from the run stats, under "Snort rules read", how
many preprocessor rules are being loaded?

A correction about my initial post, i said it is sid:2, I should have said
sid:1 based on your alert data.



On Thu, Jul 24, 2014 at 3:50 PM, Y M <snort () outlook com> wrote:

Date: Thu, 24 Jul 2014 15:44:24 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule


My preprocessor.rules file is blank

How did you copy/install your rules?


On Thu, Jul 24, 2014 at 3:24 PM, Y M <snort () outlook com> wrote:

 Date: Thu, 24 Jul 2014 15:02:34 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] finding which rule

I'm getting a lot of alerts that look like this.

[**] [129:20:1] Snort Alert [129:20:1] [**] [Classification: Potentially
Bad Traffic] [Priority: 2] 07/24-14:15:35.196146 172.28.61.104:22 -> 172.
28.61.88:20309 TCP TTL:64 TOS:0x10 ID:59076 IpLen:20 DgmLen:104 DF ***AP***
Seq: 0x8055FA2A Ack: 0x450C8A09 Win: 0x545 TcpLen: 20

How do I go about finding the rule that generated this alert?

The "[129:20:1]" stands for [GID:SID:REV]. GID with value 129 is generated
by the Stream5 preprocessor (http://manual.snort.org/node18.html), and
the alert sid is 2. You can go with something similar to (assuming you are
running *nix):

grep "sid: 2; gid: 129" /your/pathto/preproc_rules/preprocessor.rules.
Though you may not get the exact content match upon which this signature is
matching but it has references to CVE/Bugtraq. In general, the alert
warns about existing payload on a SYN packet, which may be categorized as
unusual behavior; ie., sending data on the initial SYN. You need to
investigate to determine if it is legit or not.

The reason your alert is  showing as "Snort Alert" instead of the actual
signature message is that the sid-msg.map is not updated with the specific
signature information.

YM

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck Code
Sight - the same software that powers the world's largest code search on
Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck Code
Sight - the same software that powers the world's largest code search on
Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck Code
Sight - the same software that powers the world's largest code search on
Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: