Snort mailing list archives
Re: Understanding IDSkeys - thought I had it but no..........
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 20 Aug 2001 11:28:42 -0700 (PDT)
On Mon, 20 Aug 2001, Mads Rasmussen wrote:
Hmmm I thought I had it but.... [**] [111:8:1] spp_stream4: STEALTH ACTIVITY (FIN scan) detection [**] [**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**] Then what is the idskey?
In log.c: 736 if(msg != NULL) 737 { 738 fwrite("[**] ", 5, 1, file); 739 740 if(event != NULL) 741 { 742 fprintf(file, "[%lu:%lu:%lu] ", 743 (unsigned long) event->sig_generator, 744 (unsigned long) event->sig_id, 745 (unsigned long) event->sig_rev); 746 }
The FAQ doesn't mension this very clearly, what is the procedure exactly? first I just had the 111:3:1 key and searched for 111 on the whitehat.com/ids site. This gave me info about a trojan but now that a FIN scan gives the same number just with different suffix what is the ids key and how do I search for it on whitehats?
If you'll take a look at one of the *.rules file you'll see something like: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) The sid is the 'snort id' of the rule. This way, there is some method to the madness of rules and revisions of those rules. There was a fairly good explanation a while back that explains how the SID would be used and what could and couldn't be used as SID numbers. I'm sorry, but I don't have the pointer to it ATM. You should be able to search the archives and find it. I think its from Marty... Go Figure! :) Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Understanding IDSkeys - thought I had it but no.......... Mads Rasmussen (Aug 20)
- Re: Understanding IDSkeys - thought I had it but no.......... Erek Adams (Aug 20)
- Re: Understanding IDSkeys - thought I had it but no.......... Jörgen Persson (Aug 20)