Re: snort question

To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: snort question
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Fri, 17 Nov 2000 03:24:55 +0100
Message-id: <[🔎] 20001117032455.D13394@lina.inka.de>
In-reply-to: <[🔎] 20001116135758.A2631@feivel.credativ.de>; from meskes@debian.org on Thu, Nov 16, 2000 at 01:57:58PM +0100
References: <[🔎] 20001116135758.A2631@feivel.credativ.de>

On Thu, Nov 16, 2000 at 01:57:58PM +0100, Michael Meskes wrote:
> Is there any documentation that gives some detailed information about the
> events snort logs? I've installed it to test it a little bit but haven't
> found time yet. But today I got this:

The IDS Numebrs are from whitehats.com, the CVE Numbers are from CVE

The snort stats script has some shortcommings, one is the cutting off of the
description line and the port numbers, so have a look in your syslog to see
the full message, which would be:

3ecki@calista:~> grep IDS244 /etc/snort/*
/etc/snort/webmisc-lib:alert tcp !$HOME_NET any -> $HOME_NET 2301
(msg:"IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../";) 

http://www.whitehats.com/IDS/244
...

http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0771
Name
            CVE-1999-0771
Description
            The web components of Compaq Management
            Agents and the Compaq Survey Utility allow a
            remote attacker to read arbitrary files via a .. (dot
            dot) attack. 


 References
	 BUGTRAQ:19990526 Infosec.19990526.compaq-im.a
	 COMPAQ:SSRT0612U
	 XF:management-agent-file-read 

Gruss
Bernd

Reply to:

Follow-Ups:
- Re: snort question
  - From: Michael Meskes <meskes@debian.org>

References:
- snort question
  - From: Michael Meskes <meskes@debian.org>

Prev by Date: Re: Gnome has broken sound for 2.4 kernel, but KDE is OK.
Next by Date: Re: What "Personal Security Manager"?
Previous by thread: snort question
Next by thread: Re: snort question
Index(es):
- Date
- Thread