|
Home > Archive > Snort > September 2004 > [Snort-users] How to find Snort ID in /var/log/snort/alert records?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] How to find Snort ID in /var/log/snort/alert records?
|
|
| James Sinnamon 2004-09-27, 2:45 am |
| Dear Snort users,
I have had Snort running since May on a Debian
Linux system, but I still do not know how to
use the information in /var/log/snort/alert*.
I bought "Snort for Dummies" to kick start
myself, but the description of the alert records
des not correspond to what I find on my system.
In particular, I am unable to
obtain a 'Snort ID' which matches anything at:
http://www.snort.org/cgi-bin/done.cgi
(For all I know, my firewalled system,
running an SMTP server, Mailman, sshd and
Apache, may well have been hacked into
and totally compromised in this period of time,
and Snort may have changed to output only
gibberish.)
The content of /var/log/alert now includes (with IP addrs changed):
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF0F14CE9 Ack: 0xF0CED3A Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 175525 948682168
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF120D22B Ack: 0x778B898C Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 176608 939098917
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x69DCF1BA Ack: 0xFBBF7BBA Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 368601 648869733
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x6CC6FC5C Ack: 0xCED41371 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 373991 780114678
.... do the above records contain snort ID's? The closest I can find are:
[119:16:1], [119:15:1], and [119:2:1].
Also, I am not sure which of the port pairs is meant to be the source and
which is meant to be the destination. Are the above, records of :
!) attempts to hack into my system (147.16.81.75), or
2) or attempts by processes on my system to hack into other
systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?
TIA
James
--
James Sinnamon
frodo000@bigpond net au
+61 412 319669, +61 2 95692123
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Nigel Houghton 2004-09-27, 5:47 pm |
| On 0, snort-users-request@lists.sourceforge.net allegedly wrote:
>
> Today's Topics:
>
> 1. How to find Snort ID in /var/log/snort/alert records? (James Sinnamon)
> --__--__--
>
> Message: 1
> From: James Sinnamon <frodo000@bigpond.net.au>
> Reply-To: James Sinnamon <frodo000@bigpond.net.au>
> To: snort-users@lists.sourceforge.net
> Date: Mon, 27 Sep 2004 15:01:20 +1000
> Subject: [Snort-users] How to find Snort ID in /var/log/snort/alert records?
>
> Dear Snort users,
>
> I have had Snort running since May on a Debian
> Linux system, but I still do not know how to
> use the information in /var/log/snort/alert*.
> I bought "Snort for Dummies" to kick start
> myself, but the description of the alert records
> des not correspond to what I find on my system.
>
> In particular, I am unable to
> obtain a 'Snort ID' which matches anything at:
>
> http://www.snort.org/cgi-bin/done.cgi
>
> (For all I know, my firewalled system,
> running an SMTP server, Mailman, sshd and
> Apache, may well have been hacked into
> and totally compromised in this period of time,
> and Snort may have changed to output only
> gibberish.)
>
> The content of /var/log/alert now includes (with IP addrs changed):
>
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
> TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
> ***AP*** Seq: 0xF0F14CE9 Ack: 0xF0CED3A Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 175525 948682168
>
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
> TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
> ***AP*** Seq: 0xF120D22B Ack: 0x778B898C Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 176608 939098917
>
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> 09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
> TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x69DCF1BA Ack: 0xFBBF7BBA Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 368601 648869733
>
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
> 09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
> TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
> ***AP*** Seq: 0x6CC6FC5C Ack: 0xCED41371 Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 373991 780114678
>
> ... do the above records contain snort ID's? The closest I can find are:
> [119:16:1], [119:15:1], and [119:2:1].
correct, these are in the format [ generator id : snort id : revision ],
this means you have a generator id of 119 and snort ids of 16, 15 and 2 all
of which are revision number 1. Generator id 119 relates to http_inspect,
look in gen-msg.map for all the others. The (http_inspect) in the message
is also a dead giveaway.
> Also, I am not sure which of the port pairs is meant to be the source and
> which is meant to be the destination. Are the above, records of :
>
> !) attempts to hack into my system (147.16.81.75), or
> 2) or attempts by processes on my system to hack into other
> systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?
The direction indicator in the event message indicates the events are
coming from 147.16.81.75 and going to the addresses indicated.
More information on the events can be found at:
http://www.snort.org/snort-db/sid.html?sid=119-16
http://www.snort.org/snort-db/sid.html?sid=119-15
http://www.snort.org/snort-db/sid.html?sid=119-2
> TIA
>
> James
>
> --
> James Sinnamon
> frodo000@bigpond net au
> +61 412 319669, +61 2 95692123
+-------------------------------------------------------------------------+
,,_ Nigel Houghton Research Engineer Sourcefire Inc.
o" )~ Vulnerability Research Team
''''
"Dude, dolphins are intelligent and friendly!" - Wendy
"Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|