Snort mailing list archives
Re: Understanding the alert file
From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Thu, 13 Aug 2015 07:36:55 +0000
Hi, If you’re still looking for a way of doing this : « It would be nice to only have one alert sent per minute but I'm getting many from the same cron job for that minute “ You should use try something like this : alert tcp any any -> any 80 (msg:”Heartbeat”; content:”/testheartbeat123”; http_uri; threshold:type limit, track by_src, count 1, seconds 60; classtype:not-suspicious; sid:1;) It should log just 1 alert per minute. You can have a look at the Snort Manual p.233 for more details and examples ;) Cheers! -- Gabriel Corré Élève Ingénieur Réseaux, Ops - Core Infrastructure De : Joel Esler (jesler) [mailto:jesler () cisco com] Envoyé : mercredi 12 août 2015 16:51 À : usa ims <usaims () yahoo com> Cc : snort-users () lists sourceforge net Objet : Re: [Snort-users] Understanding the alert file Awesome. Sounds good. On Aug 12, 2015, at 10:38 AM, usa ims <usaims () yahoo com<mailto:usaims () yahoo com>> wrote: My issue is resolved by correcting the rule that was suggested by Joel. Thank you from South Florida. Additionally, the link provided by James were very useful. On Tuesday, August 11, 2015 6:37 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: I think what you mean to have is: alert tcp any any -> any 80 (msg:”Heartbeat”; content:”/testheartbeat123”; http_uri; classtype:not-suspicious; sid:1;) On Aug 11, 2015, at 5:43 PM, usa ims <usaims () yahoo com<mailto:usaims () yahoo com>> wrote: Snort 2.9.2.2 on RaspberryPi I am trying to understand the 'alert' file. I am implementing a hearbeat rule so that I can check for lost packets while the system is being slammed. Here is the rule: alert tcp any any -> any 80 (msg:" Heartbeat" content:/testheartbeat123"; classtype:not-suspicious;sid:1;) I have a cron job being fired off every minute from a host on the EXTERNAL_NET: * * * * * perl -MLWP::UserAgent -e 'LWP::UserAgent->new()->get("http://example.com/testheartbeat123");'
/dev/null 2>&1
In the alert file, it contains: [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:09.182768 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56030 IpLen:20 DgmLen:60 DF ******S* Seq: 0xAFDDBF49 Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 8611223 0 NOP WS: 6 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:09.184943 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56031 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAFDDBF4A Ack: 0x4AD89C91 Win: 0x1C9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611223 8328656 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:09.975764 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56032 IpLen:20 DgmLen:180 DF ***AP*** Seq: 0xAFDDBF4A Ack: 0x4AD89C91 Win: 0x1C9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611302 8328656 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:09.981515 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56033 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAFDDBFCA Ack: 0x4AD89E7D Win: 0x1D9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611303 8328736 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:10.019413 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56034 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611307 8328736 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF ***A***F Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611316 8328736 [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**] [Classification: Not Suspicious Traffic] [Priority: 3] 08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80 TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF ***A***F Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 8611316 8328736 I need help understanding the '***????***'. It would be nice to only have one alert sent per minute but I'm getting many from the same cron job for that minute. It's going to be cumbersome looking through the alert logs looking for lost alerts to see if any packets were lost. This rule was taken from Martin's blog. Any suggestions, comments, etc. usaims ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding the alert file usa ims (Aug 11)
- Re: Understanding the alert file Joel Esler (jesler) (Aug 11)
- Re: Understanding the alert file usa ims (Aug 12)
- Re: Understanding the alert file Joel Esler (jesler) (Aug 12)
- Re: Understanding the alert file Gabriel Corre (Aug 13)
- Re: Understanding the alert file usa ims (Aug 12)
- Re: Understanding the alert file Joel Esler (jesler) (Aug 11)
- Re: Understanding the alert file James Lay (Aug 11)