Re: How to proceed

[Nigel Houghton <nigel () sourcefire com>]

>    7. Re: How to proceed (Ralf Spenneberg)
>
> --__--__--
>
> Message: 7
> Subject: Re: [Snort-users] How to proceed
> From: Ralf Spenneberg <lists () spenneberg org>
> To: "Timothy A. Holmes" <tholmes () mcaschool net>
> Cc: snort-users () lists sourceforge net
> Date: Thu, 10 Nov 2005 17:29:22 +0100
>
> Hi,
>
> you configured everything correctly. This is a shortcoming in Base. 
>
> The alert was generated by a preprocessor and not a signature. Base
> cannot yet distinguish between these alerts and always tries to lookup a
> signature at the snort homepage. All sids below 100 definitely are
> preprocessor alerts and are not accessable through the snort homepage.
>
> Ralf

Actually, it also depends on the generator id (gid) as well. Each
pre-processor has it's own gid in the case of the sfportscan pre-processor
it is 122 (look in the generators file for the others). So, your event
will have a gid 122 and sid 3, the document for this event is named
122-3.txt and you will find it in the docs directory shipped with the
rules files.

At the moment this document does not appear to be available via
snort.org and I will look into fixing this situation. You may also look
in gen-msg.map for the other gids and associated sids for other
pre-processors. The gid for the main rules detection engine is 1, so all
rule generated events could be identified as 1-(sid for the rule), but
the document naming convention for these doesn't yet use the 1-(sid)
format of the pre-processor docs. There is also a third identifier
concerning the revision number for the item that generated the event,
this is helpful for rules but the pre-processors all have a revision
number of 1.

> Am Donnerstag, den 10.11.2005, 11:00 -0500 schrieb Timothy A. Holmes:
> > Hi folks:
> >
> > I am VERY new to using snort, I have it set up and sniffing between
> > our cable modem and the firewall, and it appears to be running well.
> >
> > I am seeing alerts show up in BASE.  
> >
> > So I look at a particular alert, and find the following
> >
> > [snort] (portscan) TCP Portsweep unclassified 15(0%) 1 1 7 2005-11-09
> > 10:13:55 2005-11-10 10:38:46
> >
> > I click on the snort link which, if I understand correctly should take
> > to a page which will tell me what the alert means and what I should do
> > about it (if anything)
> >
> > And I get the following (this is the link to the page)
> >
> > http://www.snort.org/pub-bin/sigs.cgi?sid=27
> >
> > Which basically tells me that the snort database has never heard of
> > this before
> >
> > What do I do now???

Determine why the event was generated, look at the source and
destination addresses, take a close look at your snort.conf and decide
if you want to make some detailed tuning changes in there. The file is
well commented and should help greatly. The snort manual is also very
useful.

You could also take a look at README.sfportscan that came in the docs
directory of your snort source distribution for more information. This
contains a great deal of information on the tuning and configuration of
sfportscan.

> > Did I configure base incorrectly or what?
> >
> > I must confess to being kinda lost
> >
> > TIM
> >
> > Timothy A. Holmes

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users