[Snort-users] whatis database

amp amp at
Fri Sep 22 22:06:18 EDT 2000


Thanks for the response. 

RTM is generally pretty good advise, and I've tried to do this. I plan to look 
a lot further as I suspect that this will be a part of my life for the
forseeable future. I'm sure I'll find more information as I dig around the net
a bit, probably more than I can handle <grin>

I'd like to ask if any of y'all out there have any ideas for books on networking
I can pick up. I know a little about network protocols and such, as I've been
involved with network computers for quite a while in my job, but packet level
stuff has not ever really been something I've needed to know in great detail.
Online and offline resource recommendations would be appreciated.

I'm new to this list, and suspect I'll enjoy sitting back and reading it for a
while. From what I've read in the archives, it's got more signal than many
I've been on in the past. 

Regards,

alan

On Fri, 22 Sep 2000, Dragos Ruiu wrote:
> A short version for this and similar queries.
> 
> The first place to look for this stuff is in the rules file.
> It's syntax is simple... one line per rule.  That will tell you what in the
> packet set this off.  Not that I'm suggesting this will illuminate the 
> whole picture for you, but it will be the first step.
> 
> Then once you've glanced through this... have a look at
> the existing docs.  We all know they need more detail and 
> updating in some cases but they will be a good start.
> www.snort.org is a good place to start. I know everyone 
> hates to hear RTFM... but....
> 
> The second top level thing I would mention is that there are
> two classes of rules that you should be aware of... the content 
> triggered rules that are based on some pattern known to occur 
> in a specific attack(like your first example which is a windows
> smb file browser, and the port based trojan detection rules (your
> second query).  The port based trojan detection will go off
> anytime there is traffic to that port because that port is
> the default listen port of commonly accessible trojans...
> It falses often and can be set off by application traffic
> using that port range even randomly assigned sometimes.
> 
> cheers,
> --dr 
> 
> 
> On Fri, 22 Sep 2000, amp wrote:
> > I'd like to know if someone out there knows where a good place would be to look
> > up some of the things that snort is flagging.
> > 
> > For instance,  I see a bunch of these daily.
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > [**] IDS177/netbios-name-query [**]
> > 09/22-04:09:05.968366 24.66.234.242:137 -> 24.7.237.246:137
> > UDP TTL:114 TOS:0x0 ID:8267
> > Len: 58
> > 16 03 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
> > 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
> > 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
> > 00 01                                            ..
> > 
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > 
> > I looked around the snort site, and various other places linked off the page to
> > see exactly what it is. My guess it's just a Win machine firing up on my local
> > network doing a netbios query, but I can't seem to locate a place where the
> > stuff that is flagged in the vision.rules file is documented for =why= a given
> > packet is logged as opposed to others.
> > 
> > More critically, I got one today that says...
> > +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > /var/log/snort $ cat 24.7.237.246/TCP:3791-1115
> > [**] IDS42/trojan-active-totaleclipse [**]
> > 09/21-21:51:09.784529 24.7.237.246:3791 -> 24.27.96.210:1115
> > TCP TTL:64 TOS:0x0 ID:21024  DF
> > **S***A* Seq: 0x6593A1EC   Ack: 0x53A6C7   Win: 0x7D78
> > TCP Options => MSS: 1460 NOP NOP SackOK
> > +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > 
> > >From the description, it doesn't look like it's something that plays well
> > with others. I'd like to know if it is probing for the existance of a trojan
> > or if the trojan has already nailed me.
> > 
> > amp
> > 
> > 
> > -- 
> > amp at ...492...
> > http://www.zeugma.nu/
> > 
> > Never be afraid to try something new. 
> > Remember, amateurs built the ark. 
> > Professionals built the Titanic.
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> -- 
> Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
> gpg/pgp key on file at wwwkeys.pgp.net
-- 
amp at ...492...
http://www.zeugma.nu/

Never be afraid to try something new. 
Remember, amateurs built the ark. 
Professionals built the Titanic.



More information about the Snort-users mailing list