Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Help with Alerts

From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Sun, 9 Sep 2012 14:00:06 +0530
---------- Forwarded message ----------
From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Sun, Sep 9, 2012 at 12:52 PM
Subject: Re: [Snort-users] Help with Alerts
To: Joel Esler <jesler () sourcefire com>


Pardon my ignorance, but isn't sid-msg file supposed to contain all
sig ids of the rule pack i downloaded?? What is the difference between
just using snort and using snort with pulled pork?


On 9/8/12, Joel Esler <jesler () sourcefire com> wrote:

Probably want to.

--
Joel Esler

On Sep 8, 2012, at 8:02 AM, Pratik Narang <pratik.cse.bits () gmail com>
wrote:


nope

On Sat, Sep 8, 2012 at 5:23 PM, Joel Esler <jesler () sourcefire com> wrote:

If you are using pulledpork, it should generate your Sid-MSG.map for

you.

Are you using pulledpork?

--
Joel Esler
Sent from my iPad

On Sep 8, 2012, at 7:21 AM, Pratik Narang <pratik.cse.bits () gmail com>
wrote:


Hi all,
 Could someone help out why I am not able to identify this alert in any
of the files?

09/08-16:25:26.843914  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
09/08-16:26:15.505341  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
09/08-16:26:22.182389  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
09/08-16:27:12.671644  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
09/08-16:27:19.259019  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80

The sid corresponds to app-detect.rules (Dropbox activity), but i cant
locate that sid in sid-msg.map. Why so? Am i looking at the wrong

place?



Snort version 2.9.3.1

Thanks...


------------------------------------------------------------------------------

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: