Re: finding which rule

[Y M <snort () outlook com>]

Date: Thu, 24 Jul 2014 15:52:50 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule

I use pulledpork.
1. When you deployed Snort, did you copy all of the necessary files to the respective directories (so_rules, 
preproc_rules, etc.)?2. When you run Snort, from the run stats, under "Snort rules read", how many preprocessor rules 
are being loaded?
A correction about my initial post, i said it is sid:2, I should have said sid:1 based on your alert data.


On Thu, Jul 24, 2014 at 3:50 PM, Y M <snort () outlook com> wrote:




Date: Thu, 24 Jul 2014 15:44:24 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net

Subject: Re: [Snort-users] finding which rule

My preprocessor.rules file is blank
How did you copy/install your rules?


On Thu, Jul 24, 2014 at 3:24 PM, Y M <snort () outlook com> wrote:







Date: Thu, 24 Jul 2014 15:02:34 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net


Subject: [Snort-users] finding which rule

I'm getting a lot of alerts that look like this.
[**] [129:20:1] Snort Alert [129:20:1] [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
07/24-14:15:35.196146 172.28.61.104:22 -> 172.28.61.88:20309
TCP TTL:64 TOS:0x10 ID:59076 IpLen:20 DgmLen:104 DF
***AP*** Seq: 0x8055FA2A  Ack: 0x450C8A09  Win: 0x545  TcpLen: 20





How do I go about finding the rule that generated this alert?


The "[129:20:1]" stands for [GID:SID:REV]. GID with value 129 is generated by the Stream5 preprocessor 
(http://manual.snort.org/node18.html), and the alert sid is 2. You can go with something similar to (assuming you are 
running *nix):


grep "sid: 2; gid: 129" /your/pathto/preproc_rules/preprocessor.rules. Though you may not get the exact content match 
upon which this signature is matching but it has references to CVE/Bugtraq. In general, the alert warns about existing 
payload on a SYN packet, which may be categorized as unusual behavior; ie., sending data on the initial SYN. You need 
to investigate to determine if it is legit or not.


The reason your alert is  showing as "Snort Alert" instead of the actual signature message is that the sid-msg.map is 
not updated with the specific signature information. 


YM


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
                                          



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        
  



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!