Snort mailing list archives
Re: Signature Lookup Confusion
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 07 May 2013 13:52:28 -0400
On 5/7/2013 13:24, Josh Bitto wrote:
I'm having a bit of a problem fully grasping how to search up rules that have been fired..... 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80 Ok so what I understand from the log is that rule 120 fired. Either I need
no sir... rule identifiers are in GID:SID:rev format... only the GID:SID are really necessary... the above says Generator 120 fired its rule with SID 8... Generator 120 is http_inspect... its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"... these are not "normal" rules like the *.rules files you download... these rules are built into the processor...
some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and hopefully come back to someone who has awesomely helped me out.
does the above help?
Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to take action or not.
this is where you might need to break out a pcap viewing tool like wireshark so you can look at the content of the network traffic that triggered the rule... snort should have saved a pcap for you and this particular entry will likely be inside a large pcap containing other saved traffic from other alerts... you use the timestamp to determine the proper packet to look at and then work it from there... FWIW: i've someone who is a client on a large Canadian cable network and they are getting hit by tons of these... we haven't yet determined why, though... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion beenph (May 07)
- Re: Signature Lookup Confusion Ian Bowers (May 07)
- Re: Signature Lookup Confusion Ian Bowers (May 07)
- Re: Signature Lookup Confusion waldo kitty (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion Joel Esler (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 08)
- Re: Signature Lookup Confusion Joel Esler (May 08)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)