Re: where can i find info about events

[Matt Kettler <mkettler () evi-inc com>]

At 09:49 AM 5/10/2004, derk van de Velde wrote:
> hi,
>
> where can i find info about e.g.  attempted information leak"
> how severe is it?
> im new
> regards,
> derk

"Attempted information leak" is a class of alerts, not any specific event. 
There are dozens of rules in this class, some severe, some not.

If you want some description of a specific alert, enter it's SID into the 
rule documentation search that's on www.snort.org.

For example this alert:

[**] [1:1549:11] SMTP HELO overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
xx/xx-xx:55:36.462727 xx.xx.xx.xx:xxxxx -> xx.xx.xx.xx:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:52
***AP*** Seq: 0xxxxxxxxx  Ack: 0xxxxxxxxx  Win: 0x415B  TcpLen: 20

has a SID of 1549. Which I extracted from [1:1549:11]

Note that the first digit must be 1: for it to be a rule. Anything else is 
generated by the preprocessors and isn't documented in the rule docs, it's 
documented in the docs for the preprocessor itself.

Entering 1549 into the search gets me this:

http://www.snort.org/snort-db/sid.html?sid=1549



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users