Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Relation between events and rules set.

From: John Sage <jsage () finchhaven com>
Date: Wed, 23 Apr 2003 18:09:57 -0700
Julio:

Let's do a little trimming:

On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:

Hi all,

     We are working on threath management system using snort +
logsnorter + syslog servers, but the core is snort.


<snip>


     I need know , how find the relation between the event and the
set of rules that trigger it event.
           


Is the question "which specific rule was triggered by a specific
event" ie: alert?

cd /wherever_your_snort_rules_are/
grep 'insert_phrase_from_alert' *

To wit:

[**] [1:0:0] TCP inbound to 80 http [**]
[Priority: 0]
04/21/03-18:07:00.234228 12.84.131.147:1894 -> 12.82.133.136:80
TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDEEB0032  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[toot@tweedle /storage/snort]$ grep 'inbound to 80' *
tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80
 (msg:"TCP inbound to 80 http";)



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: