Re: Snort Question

To: debian-firewall@lists.debian.org
Subject: Re: Snort Question
From: James Sinnamon <frodo000@bigpond.net.au>
Date: Wed, 29 Sep 2004 13:49:12 +1000
Message-id: <[🔎] 200409291349.12503.frodo000@bigpond.net.au>
Reply-to: James Sinnamon <frodo000@bigpond.net.au>
In-reply-to: <[🔎] 87d608f4ix.fsf@enki.rimspace.net>
References: <c1e001c4a404$5592e050$1b004763@doloresaydelott> <200409271818.15699.frodo000@bigpond.net.au> <[🔎] 87d608f4ix.fsf@enki.rimspace.net>

Daniel,

Thanks for your helpful response.  I also received a response from
Nigel Houghton on the snort users list to tell me how to interpret
the codes  [119:16:1], [119:15:1], and [119:2:1].  They can be found in
/etc/snort/sid-msg.map.  As an example, [119:16:1] means:

   generator id: 119 or http_inspect
   snort id :       16 or OVERSIZE CHUNK ENCODING
   revision:        1 (all revisions are currently 1)

to look it up on the snort id database, use the URL:

 http://www.snort.org/snort-db/sid.html?sid=119-16

On Mon, 27 Sep 2004 07:24 pm, Daniel Pittman wrote:
> On 27 Sep 2004, James Sinnamon wrote:
> > I haven't yet had much joy from a question, further below, which I sent
> > to the Snort mailing list. Can anyone help? Any response would be
> > appreciated, even if only to politely say that the question is too stupid
> > to warrant a response.
>
> [...]
>
> > I have had Snort running since May on a Debian Linux system, but I still
> > do not know how to use the information in /var/log/snort/alert*. I bought
> > "Snort for Dummies" to kick start myself, but the description of the
> > alert records does not correspond to what I find on my system.
>
> You may well find that the book, being paper and thus prone to getting
> outdated, no longer matches up with the version of Snort in Debian.
>
> Alternately, it may be that Debian in stable is older than the book. :)
>
> [...]
>
> > [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> > 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80 TCP TTL:63
> > TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF0F14CE9 Ack:
> > 0xF0CED3A Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 175525
> > 948682168
> >

<snip/>

> >
> > ... do the above records contain snort ID's? The closest I can find are:
> > [119:16:1], [119:15:1], and [119:2:1].
>
> I cannot help you there, I fear.
>
> > Also, I am not sure which of the port pairs is meant to be the source and
> > which is meant to be the destination. Are the above, records of :
> >
> > 1) attempts to hack into my system (147.16.81.75), or
> > 2) attempts by processes on my system to hack into other
> > systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?
>
> The direction of the arrow (->) is a hint, I suspect. :)
>
> Those are all HTTP based attacks, so the fact that they come from the
> 147.* address on a high port and go to your systems on port 80 would
> also seem a bit of a hint.
>
> So, the answer is that they are the source host and port on the left,
> then the destination host and port on the right.
>
> These represent some sort of automatic attack on your system, most
> likely.

Also, most of the 'attacks' are originating from
my own network.  These are possibly some quirks with 
Mozilla Firefox, or else from some downloaded pages.
Possibly I don't need ot be too concerned about these.
Maybe should try to change the rules to omit these sorts
of messges from /var/log/snort/alert

So, I have now some better grasp of the basics of Snort.

Thanks again,

regards,

James


-- 
James Sinnamon
frodo000@bigpond net au 
+61 412 319669, +61 2 95692123

Reply to:

References:
- Re: Snort Question
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: General networking question
Next by Date: Re: wondershaper issue on Woody-30 stock kernel
Previous by thread: Re: Snort Question
Next by thread: Rezultatele scanarii cu RAV AntiVirus
Index(es):
- Date
- Thread