Snort mailing list archives
Re: Strange Alert
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 10 Feb 2010 08:28:52 -0500
On Wed, Feb 10, 2010 at 7:06 AM, Jens Link <jenslink () gmx de> wrote:
Hi, I have a snort (2.8.5.2) setup here using barnyard (2.1.7) and base (1.4.4). Everything works as expected except for one alert which shows up on base: [snort] Snort Alert [133:34:0] unclassified I greped /etc/snort and the source and didn't find anything. Any ideas? Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink () guug de | ------------------------------------------------------------------------- ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
If you look in the gen-msg.map (it's in the distribution, look for it) you will find: 133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client Then if you look in the doc directory (it's in the distribution, look for it) you will find the document that accompanies this event, it is named 133-34.txt. (I thought the gid-sid.txt naming convention might be helpful) Also, you might want to enable the preprocessor rules, then you might get the classification as well. Oh, and one more thing, the events, for the fifty-hundred-billionth time, the format is [GID:SID:REV] so the event you have would be GID 133 (look in the gen-msg.map again for the pre-processor that gives the event), SID 34, REVISION 0. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange Alert Jens Link (Feb 10)
- Re: Strange Alert Nigel Houghton (Feb 10)
- Re: Strange Alert Jens Link (Feb 10)
- Re: Strange Alert Todd Wease (Feb 10)
- Re: Strange Alert Nigel Houghton (Feb 10)
- Re: Strange Alert Jens Link (Feb 10)
- Re: Strange Alert Jens Link (Feb 10)
- Re: Strange Alert Nigel Houghton (Feb 10)
- Re: Strange Alert John Gay (Feb 10)
- Re: Strange Alert Dirk Geschke (Feb 10)