[Snort-users] how to read logs

Matt Kettler mkettler at ...7367...
Wed Dec 18 15:10:04 EST 2002


At 01:49 PM 12/18/2002 +0530, you wrote:
>how to interpret logs generated by snort.


Read them with a text editor? :)

More seriously, if the majority of snort output isn't self explanatory, or 
at least explanatory enough that you can ask some  more specific questions 
than that, then you're likely to need to learn a LOT more than I, or anyone 
else, can convey in email. You'll probably need to read up a lot here.

It would be impossible to simplify snort to a level that someone who knows 
nothing about networks could understand it. It's inherently complicated 
information, but a good, well rounded systems admin or router admin should 
already know enough to handle it, or at least know where to start looking 
for answers.

There's some basic subjects you'll need to know about, and I'm going to try 
to add some website links where you can read up a bit on each subject. If 
you already know a good bit about this stuff, but just need some specific 
information about certain ports/packet patterns, skip to number 5, and if 
that doesn't help, post a specific question on this list.



         1)You'll need to understand some basics of IP, TCP, and UDP. 
Things like destination addresses, source addresses, common ports, what TCP 
SYN, FIN and RST mean, etc. The same kind of basic knowledge of the 
internet you need to successfully configure a multi-interface router 
applies here, although you don't need to know router syntax.
         A truly basic "intro to TCP/IP"
         http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

         A reasonable looking TCP/IP FAQ:
         http://www.itprc.com/tcpipfaq/default.htm

         basics of firewalls, DMZ's, etc.
         http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html

         2) You'll need to understand some basics of how network attacks 
work. I'd Recommend skimming over "Smashing the Stack for fun and profit" 
by Aleph one.  A deep understanding isn't necessary, but a casual read of 
this will give you some helpful basics in understanding the kinds of things 
that happen in an attack, and give you a better understanding of what to 
look for.
         http://www.insecure.org/stf/smashstack.txt

         3) also a good guide on securing systems is helpful, something 
like this one:
         http://www.openna.com/products/books/sol/solus.php
         or this one:
         http://www.seifried.org/lasg/


         4) You'll need to understand the basics of internet servers, ie: 
what DNS, HTTP, FTP, SMTP, etc are for. Most of that should be covered in 
the various other references I've made here.

         5) here's an excellent reference on "oddball" traffic patterns 
commonly seen at network borders, also very helpful
                 http://www.robertgraham.com/pubs/firewall-seen.html





More information about the Snort-users mailing list