Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Signature Lookup Confusion

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 07 May 2013 13:52:28 -0400
On 5/7/2013 13:24, Josh Bitto wrote:

I'm having a bit of a problem fully grasping how to search up rules that have
been fired.....

2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect)
INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic]
[Priority: 3] {TCP} 209.97.200.53:32459 ->  216.178.47.38:80


Ok so what I understand from the log is that rule 120 fired. Either I need


no sir... rule identifiers are in GID:SID:rev format... only the GID:SID are 
really necessary...

the above says Generator 120 fired its rule with SID 8...

Generator 120 is http_inspect...

its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"...

these are not "normal" rules like the *.rules files you download... these rules 
are built into the processor...


some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm
just not getting it. The instructions on how to search for the group id and
the sid for some reason are not sticking. Can someone dumb this down for
me....I'm gonna run out and get a pop and hopefully come back to someone who
has awesomely helped me out.


does the above help?


Basically I want to be able to search for explanations on whatever event
happens so I can determine if I need to take action or not.


this is where you might need to break out a pcap viewing tool like wireshark so 
you can look at the content of the network traffic that triggered the rule... 
snort should have saved a pcap for you and this particular entry will likely be 
inside a large pcap containing other saved traffic from other alerts... you use 
the timestamp to determine the proper packet to look at and then work it from 
there...


FWIW: i've someone who is a client on a large Canadian cable network and they 
are getting hit by tons of these... we haven't yet determined why, though...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: