[Snort-users] Logs

John Sage jsage at ...2022...
Mon Sep 23 08:56:03 EDT 2002


On Sun, Sep 22, 2002 at 08:51:56PM -0500, Tim Plinth wrote:
> I've been running snort for a short while now, and most of the stuff
in the logs I can understand. However there is stuff I dont have a
clue about. Could you give be a link where I could read up on
"understanding you snort logs" or explain it to me?

If it's the entire packet itself you want to understand, get a
copy of "TCP/IP Illustrated", vol.1, WR Stevens, Addison-Wesley pubs.

If it's the snort alerts, my personal recommendation would be to learn
how to find the specific rule that's been triggered, read the rule,
and learn how to interpret it.

You don't say what platform you're working on, but here's a *nix|*nux
quick review:


"WEB-IIS CodeRed v2 /scripts/root.exe access"

grep in /usr/local/your_snort_install_dir/ thus:

[toot at ...2057... /usr/local/snort-rules]# grep 'CodeRed v2' *

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-IIS CodeRed v2 root.exe access"; flags:A+; \
uricontent:"scripts/root.exe?"; nocase; \
classtype:web-application-attack; \
reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:6;)


This rule is looking for TCP flags = ACK plus others (see: TCP/IP
Illus.); the string "scripts/root.exe?" in the packet payload; the
string shall be case-insensitive

A reference as to why this is important can be found at

Really the best way to do it is to work through several.

See also the "Snort Users Manual" - mine's at version "Snort Release:
1.9.x - Martin Roesch - 26th April 2002" for snort 1.8.7


- John
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the Snort-users mailing list