Snort mailing list archives
Re: How to proceed
From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 10 Nov 2005 11:01:53 -0600
7. Re: How to proceed (Ralf Spenneberg) --__--__-- Message: 7 Subject: Re: [Snort-users] How to proceed From: Ralf Spenneberg <lists () spenneberg org> To: "Timothy A. Holmes" <tholmes () mcaschool net> Cc: snort-users () lists sourceforge net Date: Thu, 10 Nov 2005 17:29:22 +0100 Hi, you configured everything correctly. This is a shortcoming in Base. The alert was generated by a preprocessor and not a signature. Base cannot yet distinguish between these alerts and always tries to lookup a signature at the snort homepage. All sids below 100 definitely are preprocessor alerts and are not accessable through the snort homepage. Ralf
Actually, it also depends on the generator id (gid) as well. Each pre-processor has it's own gid in the case of the sfportscan pre-processor it is 122 (look in the generators file for the others). So, your event will have a gid 122 and sid 3, the document for this event is named 122-3.txt and you will find it in the docs directory shipped with the rules files. At the moment this document does not appear to be available via snort.org and I will look into fixing this situation. You may also look in gen-msg.map for the other gids and associated sids for other pre-processors. The gid for the main rules detection engine is 1, so all rule generated events could be identified as 1-(sid for the rule), but the document naming convention for these doesn't yet use the 1-(sid) format of the pre-processor docs. There is also a third identifier concerning the revision number for the item that generated the event, this is helpful for rules but the pre-processors all have a revision number of 1.
Am Donnerstag, den 10.11.2005, 11:00 -0500 schrieb Timothy A. Holmes:Hi folks: I am VERY new to using snort, I have it set up and sniffing between our cable modem and the firewall, and it appears to be running well. I am seeing alerts show up in BASE. So I look at a particular alert, and find the following [snort] (portscan) TCP Portsweep unclassified 15(0%) 1 1 7 2005-11-09 10:13:55 2005-11-10 10:38:46 I click on the snort link which, if I understand correctly should take to a page which will tell me what the alert means and what I should do about it (if anything) And I get the following (this is the link to the page) http://www.snort.org/pub-bin/sigs.cgi?sid=27 Which basically tells me that the snort database has never heard of this before What do I do now???
Determine why the event was generated, look at the source and destination addresses, take a close look at your snort.conf and decide if you want to make some detailed tuning changes in there. The file is well commented and should help greatly. The snort manual is also very useful. You could also take a look at README.sfportscan that came in the docs directory of your snort source distribution for more information. This contains a great deal of information on the tuning and configuration of sfportscan.
Did I configure base incorrectly or what? I must confess to being kinda lost TIM Timothy A. Holmes
+--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team I require a window seat and an inflight Happy Meal, and no pickles! God help you if I find pickles! ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to proceed Timothy A. Holmes (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- <Possible follow-ups>
- Re: How to proceed Nigel Houghton (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)