[Snort-users] how to read logs

mcmurry jim jimmcmurry at ...131...
Wed Dec 18 23:31:09 EST 2002


Matt

As this is my first post to the list (just signed up
today) I must say I found your attitude to be, well,
very different than most I have seen in other lists,
where newbies are bashed with a passion.

Thank You !


Thanks for all the great information ! (Not that I
needed it, but after going through the SANS course
today, I found your posting to be most edificational
(if there is such a word) )

Jim



--- Matt Kettler <mkettler at ...7367...> wrote:
> At 01:49 PM 12/18/2002 +0530, you wrote:
> >how to interpret logs generated by snort.
> 
> 
> Read them with a text editor? :)
> 
> More seriously, if the majority of snort output
> isn't self explanatory, or 
> at least explanatory enough that you can ask some 
> more specific questions 
> than that, then you're likely to need to learn a LOT
> more than I, or anyone 
> else, can convey in email. You'll probably need to
> read up a lot here.
> 
> It would be impossible to simplify snort to a level
> that someone who knows 
> nothing about networks could understand it. It's
> inherently complicated 
> information, but a good, well rounded systems admin
> or router admin should 
> already know enough to handle it, or at least know
> where to start looking 
> for answers.
> 
> There's some basic subjects you'll need to know
> about, and I'm going to try 
> to add some website links where you can read up a
> bit on each subject. If 
> you already know a good bit about this stuff, but
> just need some specific 
> information about certain ports/packet patterns,
> skip to number 5, and if 
> that doesn't help, post a specific question on this
> list.
> 
> 
> 
>          1)You'll need to understand some basics of
> IP, TCP, and UDP. 
> Things like destination addresses, source addresses,
> common ports, what TCP 
> SYN, FIN and RST mean, etc. The same kind of basic
> knowledge of the 
> internet you need to successfully configure a
> multi-interface router 
> applies here, although you don't need to know router
> syntax.
>          A truly basic "intro to TCP/IP"
>         
> http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM
> 
>          A reasonable looking TCP/IP FAQ:
>          http://www.itprc.com/tcpipfaq/default.htm
> 
>          basics of firewalls, DMZ's, etc.
>         
>
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html
> 
>          2) You'll need to understand some basics of
> how network attacks 
> work. I'd Recommend skimming over "Smashing the
> Stack for fun and profit" 
> by Aleph one.  A deep understanding isn't necessary,
> but a casual read of 
> this will give you some helpful basics in
> understanding the kinds of things 
> that happen in an attack, and give you a better
> understanding of what to 
> look for.
>          http://www.insecure.org/stf/smashstack.txt
> 
>          3) also a good guide on securing systems is
> helpful, something 
> like this one:
>         
> http://www.openna.com/products/books/sol/solus.php
>          or this one:
>          http://www.seifried.org/lasg/
> 
> 
>          4) You'll need to understand the basics of
> internet servers, ie: 
> what DNS, HTTP, FTP, SMTP, etc are for. Most of that
> should be covered in 
> the various other references I've made here.
> 
>          5) here's an excellent reference on
> "oddball" traffic patterns 
> commonly seen at network borders, also very helpful
>                 
> http://www.robertgraham.com/pubs/firewall-seen.html
> 
> 
> 
>
-------------------------------------------------------
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
>  Smart Putty.
> T H I N K G E E K . C O M      
> http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list