[Snort-users] Snort logging to mysql

Edward W. Ray ewray_home at ...7224...
Wed Oct 23 21:56:02 EDT 2002

Knew I should have left my snort running with 1.8.7.  It was working
fine until I upgraded to 1.9

My snort does not seem to be logging any alerts at all.

Current snort PID shows /usr/sbin/snort -A fast -b -l /var/log/snort -d
-D -i eth0 -c /etc/snort/snort.conf

My alert file is unchanged since early this afternoon, even though I ran
a few nmap scans.

Is their a file/directory where I can view snort errors, if any?  I
still do not know enough info to ask the question of why snort is not
logging to mysql.


Edward Ray  

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Zachary
Sent: Wednesday, October 23, 2002 7:13 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] alert file


How can I tell which snort alerts I should be concerned about and which
are harmless? I was running various IDS programs but the trigger
threshold seemed so low I was getting root mailed every 20 secs with
some different sort of "alert" sheesh.

Here is a small sample of my /var/log/snort/alert file which is now over
200Kb !

Do any of these entries seem troubling:

(PS: Can someone explain exactly how I interpret these alerts? Perhaps
if someone could take 1 of the examples below and explain in detail what
it really is saying.)

[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/31-08:44:22.007315 -> TCP
TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xD9C61308  Ack: 0xF34FE080  Win: 0x4470  TcpLen: 20 [Xref
=> http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/31-08:44:23.305171 -> TCP
TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xDA026642  Ack: 0xF3814B1A  Win: 0x4470  TcpLen: 20

[**] [1:1243:2] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
06/09-07:33:03.245945 -> TCP
TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504
***AP*** Seq: 0x13301FBD  Ack: 0x81338CD8  Win: 0x7D78  TcpLen: 20 [Xref
=> http://www.whitehats.com/info/IDS552]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/02-01:04:42.380797 -> TCP
TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF
******S* Seq: 0xB1259605  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/02-01:04:42.391610 -> TCP
TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF
******S* Seq: 0xB12412FE  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from
(THRESHOLD 4 connections exceeded in 0 seconds) [**]

[**] [100:2:1] spp_portscan: portscan status from 5
connections across 1 hosts: TCP(5), UDP(0) [**] 06/02-01:45:57.095856 

[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 06/11-16:58:24.731259 -> ICMP TTL:240 TOS:0x0 ID:0 IpLen:20
TCP TTL:49 TOS:0x0 ID:23628 IpLen:20 DgmLen:60 DF
Seq: 0xE413B5A3  Ack: 0x1030300

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/21-04:04:16.206809 -> ICMP TTL:25 TOS:0x0
ID:39126 IpLen:20 DgmLen:28
Type:8  Code:0  ID:32305   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [1:477:1] ICMP Source Quench [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/24-06:36:42.576710 -> ICMP TTL:237
TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF Type:4  Code:0  SOURCE QUENCH

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3] 09/28-10:12:25.898514 -> ICMP TTL:127 TOS:0x0 ID:59706
IpLen:20 DgmLen:60
Type:8  Code:0  ID:49409   Seq:256  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3] 09/28-10:12:26.738515 -> ICMP TTL:127 TOS:0x0 ID:59707
IpLen:20 DgmLen:60
Type:8  Code:0  ID:49409   Seq:512  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [117:1:1] (spp_portscan2) Portscan detected from 1
targets 21 ports in 34 seconds [**] 10/19-16:20:36.260326 -> TCP TTL:49 TOS:0x0 ID:0 IpLen:20
DgmLen:60 DF
***A**S* Seq: 0xD374503C  Ack: 0xBF02541A  Win: 0x16A0  TcpLen: 40 TCP
Options (5) => MSS: 1460 SackOK TS: 502137444 5021379 NOP 
TCP Options => WS: 0 

[**] [1:613:1] SCAN myscan [**]
[Classification: Attempted Information Leak] [Priority: 2] 
10/20-03:36:59.790314 -> TCP
TTL:243 TOS:0x0 ID:39291 IpLen:20 DgmLen:40
******S* Seq: 0x64  Ack: 0x0  Win: 0x200  TcpLen: 20
[Xref => arachnids 439]


This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021023/b5c2f293/attachment.html>

More information about the Snort-users mailing list