[Snort-users] ALERT in logs

Helio Coelho Jr. - CompuLand ISP Admin helio at ...119...
Fri Sep 22 12:58:34 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Em 20-Sep-2000 Martin Roesch escreveu:
> Can you send us an example of an alert that's been flagged with just an
> "ALERT" as the message (and maybe a packet dump of that packet as well)?

Hi Marty:
 
  I found the rule that trigger the standalone 'alerts':

log tcp any any -> any 6667 (flags: PA; content: "USER "; nocase; offset:0;
depth:5; content: " "; offset:11; depth:1; content: " "; offset: 18; depth:1;
content: " :"; offset: 26; depth: 2; msg: "PrettyPark activity!";) 

 When the packet was directed to port 6667, although not related to Pretty
Park, I got just an 'ALERT' and no further explanation. I misunderstood
the rule and I supposed that everytime this particular rule was trigged
that the alert should be "PrettyPark activity!", but it's not what happens.

Best Regards,
Helio.
 

- -- 
CompuLand ISP Admin
GnuPG Public Key: http://www.compuland.com.br/helio/gpgpublic.txt
- --
Let thy maid servant be faithful, strong, and homely.
                -- Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5y4+6s4JCXSskkw8RApa6AJ96c8wfgqq0Nn30NkrM9YXa3pn2nwCfVHZC
OgFkIe+odrbthVmtoR+I8aQ=
=rn42
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list