Snort mailing list archives
Re: newbq: snort working, getting hits, got sig id's. What now?
From: John York <YorkJ () brcc edu>
Date: Fri, 30 Nov 2012 18:09:08 +0000
A quick way is to grep your rules file to see what the rule says. Something like grep "2012649" snort.rules From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Friday, November 30, 2012 12:34 PM To: Thomison, Lee; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] newbq: snort working, getting hits, got sig id's. What now? In the rule itself there are sometimes urls that link to more information. BASE at least, displays these. There is also a Snort page where you can look up information on a rule at www.snort.org<http://www.snort.org>, but not all rules have useful information. After that, you can look at the rule itself-what is it looking for? Then you get into the nitty-gritty of trying to figure out if this is legitimate or not, which means understanding (or talking to people in your company) about what these systems are doing, what's "normal", etc... There's no magic documentation for that unfortunately. From: Thomison, Lee [mailto:ThomisonL () muni org] Sent: Thursday, November 29, 2012 3:30 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] newbq: snort working, getting hits, got sig id's. What now? Pardon the newbie question, but... I've got snort up and running (via security onion 12.04), got latest vrt rules, etc. Let it run overnight and now I've got hits (surprise, surprise). I've got sig id's for the first couple of high event count hits I want to look at, but what now? Where do I go next or what do I do next to decide whether I have a problem or not? Here's the two sigs I want to use as trainers for myself: SIG ID 2102649 GPL SQL service_name buffer overflow attempt 2102650 GPL SQL user name buffer overflow attempt Where do I go to get more information on a sig id? Now, in this case, the source ip is an old control systems box sending data to a couple of oracle databases. The source and dest IP's correspond with the 'right' boxes. So I suspect that this is simply a result of the vendor or oracle (or both) being sloppy. But how do I confirm (or not) ? FWIW googling showed lots of info on how to write rules, but nothing on what to do after a hit. Thanks!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbq: snort working, getting hits, got sig id's. What now? Thomison, Lee (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Tony Robinson (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? waldo kitty (Dec 01)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Y M (Dec 02)
- Re: newbq: snort working, getting hits, got sig id's. What now? Giles Coochey (Dec 04)