[Snort-users] how to read logs
jimmcmurry at ...131...
Wed Dec 18 23:31:09 EST 2002
As this is my first post to the list (just signed up
today) I must say I found your attitude to be, well,
very different than most I have seen in other lists,
where newbies are bashed with a passion.
Thank You !
Thanks for all the great information ! (Not that I
needed it, but after going through the SANS course
today, I found your posting to be most edificational
(if there is such a word) )
--- Matt Kettler <mkettler at ...7367...> wrote:
> At 01:49 PM 12/18/2002 +0530, you wrote:
> >how to interpret logs generated by snort.
> Read them with a text editor? :)
> More seriously, if the majority of snort output
> isn't self explanatory, or
> at least explanatory enough that you can ask some
> more specific questions
> than that, then you're likely to need to learn a LOT
> more than I, or anyone
> else, can convey in email. You'll probably need to
> read up a lot here.
> It would be impossible to simplify snort to a level
> that someone who knows
> nothing about networks could understand it. It's
> inherently complicated
> information, but a good, well rounded systems admin
> or router admin should
> already know enough to handle it, or at least know
> where to start looking
> for answers.
> There's some basic subjects you'll need to know
> about, and I'm going to try
> to add some website links where you can read up a
> bit on each subject. If
> you already know a good bit about this stuff, but
> just need some specific
> information about certain ports/packet patterns,
> skip to number 5, and if
> that doesn't help, post a specific question on this
> 1)You'll need to understand some basics of
> IP, TCP, and UDP.
> Things like destination addresses, source addresses,
> common ports, what TCP
> SYN, FIN and RST mean, etc. The same kind of basic
> knowledge of the
> internet you need to successfully configure a
> multi-interface router
> applies here, although you don't need to know router
> A truly basic "intro to TCP/IP"
> A reasonable looking TCP/IP FAQ:
> basics of firewalls, DMZ's, etc.
> 2) You'll need to understand some basics of
> how network attacks
> work. I'd Recommend skimming over "Smashing the
> Stack for fun and profit"
> by Aleph one. A deep understanding isn't necessary,
> but a casual read of
> this will give you some helpful basics in
> understanding the kinds of things
> that happen in an attack, and give you a better
> understanding of what to
> look for.
> 3) also a good guide on securing systems is
> helpful, something
> like this one:
> or this one:
> 4) You'll need to understand the basics of
> internet servers, ie:
> what DNS, HTTP, FTP, SMTP, etc are for. Most of that
> should be covered in
> the various other references I've made here.
> 5) here's an excellent reference on
> "oddball" traffic patterns
> commonly seen at network borders, also very helpful
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players, XBox Games, Flying Saucers, WebCams,
> Smart Putty.
> T H I N K G E E K . C O M
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> Snort-users list archive:
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
More information about the Snort-users