Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Understanding IDSkeys - thought I had it but no..........

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 20 Aug 2001 11:28:42 -0700 (PDT)
On Mon, 20 Aug 2001, Mads Rasmussen wrote:



Hmmm I thought I had it but....

[**] [111:8:1] spp_stream4: STEALTH ACTIVITY (FIN scan) detection [**]

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]

Then what is the idskey?


In log.c:

   736      if(msg != NULL)
   737      {
   738          fwrite("[**] ", 5, 1, file);
   739
   740          if(event != NULL)
   741          {
   742                  fprintf(file, "[%lu:%lu:%lu] ",
   743                          (unsigned long) event->sig_generator,
   744                          (unsigned long) event->sig_id,
   745                          (unsigned long) event->sig_rev);
   746          }



The FAQ doesn't mension this very clearly, what is the procedure exactly?
first I just had the 111:3:1 key and searched for 111 on the whitehat.com/ids
site. This gave me info about a trojan but now that a FIN scan gives the same
number just with different suffix what is the ids key and how do I search for
it on whitehats?


If you'll take a look at one of the *.rules file you'll see something like:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access";
flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002;
rev:1;)

The sid is the 'snort id' of the rule.  This way, there is some method to the
madness of rules and revisions of those rules.  There was a fairly good
explanation a while back that explains how the SID would be used and what
could and couldn't be used as SID numbers.  I'm sorry, but I don't have the
pointer to it ATM.  You should be able to search the archives and find it.  I
think its from Marty...  Go Figure! :)

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: